A helpful addition to this could be (optionally) scheduling an NSTimer to refresh the access token a handful of seconds short of its expiry. We would have a good opportunity to schedule a non-repeating timer at the time that the credential is received and subsequently stored in the keychain.

This would give users a good first defense of their tokens expiring without incurring the overhead of refreshing the token on the "read path". It's obviously not foolproof as entering the background will obviate the timer firing, but ostensibly the user will need to handle this case anyway.

My hunch is that scheduling the timer on the run loop of the AFOAuth2Client would be fine, but we could present the user the option if it was really necessary.

This is separate of trying to catch 401 Unauthorized errors and refresh in the user's primary http client as this is rightly left to the user. I think the pushback presented here is completely valid and also exclusive of this idea.

Would be happy to draft up a pull request if there is interest/not-disgust.

I realize there are multiple issues open for AFNetworking 2.0 compatibility but it seems that there isn't much activity or interest in merging those patches. Is there any specific reason that these patches aren't acceptable?

I am developing a library/podspec that depends on both AFNetworking and AFOAuth2Client and I am worried that end users of the library may experience AFNetworking version conflicts. As far as I know, it isn't possible for me to point to an "unofficial" version of AFOAuth2Client in my podspec, so for now I guess I am limited to AFNetworking 1.3.x until the official podspec is updated as well.

Does anyone have an example code of how to use AFOAuth2Manager to connect with Google?
Best

The OAuth2 Spec strongly recommends AGAINST sending the client ID and secret in the body of the request for confidential clients (ie 2-legged auth, ie user/password and client-credential grant types, ie sections 4.3 and 4.4 of the spec)

Instead it recommends using HTTP basic auth as a bare minimum, implemented as (pseudocode):

Authorization: 'Basic' + Base64Encode(client_id + ':' + client_secret)

i.e. using the client_id as the username and the secret as the password

I checked that this worked with a default OAuth2 server (flask_oauthlib) as follows (in 'init'):

[self setDefaultHeader:@"Authorization" value:[NSString stringWithFormat:@"Basic %@", [[NSString stringWithFormat:@"%@:%@",clientID,secret] base64EncodedString]]];

With no extra server functionality this allowed auth with the server. We should consider this instead of sending the client_id and secret in the body for these kinds of grants.

Furthermore, the spec allows extension to many types of HTTP auth (http://tools.ietf.org/html/rfc6749#section-2.3.2). This would be a significant extension to support though.

When using cocoapods, the default version is 2.2.0 (even though the podspec version is 2.2.1) which unfortunately doesn't have changes included in this pull request: #100

the workaround if using cocoapods

pod 'AFOAuth2Manager', :git => "https://github.com/AFNetworking/AFOAuth2Manager.git"

From the latest version of the spec:

1.3.1. Authorization Code

The authorization code is obtained by using an authorization server
as an intermediary between the client and resource owner. Instead of
requesting authorization directly from the resource owner, the client
directs the resource owner to an authorization server (via its user-
agent as defined in [RFC2616]), which in turn directs the resource
owner back to the client with the authorization code.

Before directing the resource owner back to the client with the
authorization code, the authorization server authenticates the
resource owner and obtains authorization. Because the resource owner
only authenticates with the authorization server, the resource
owner's credentials are never shared with the client.

The authorization code provides a few important security benefits
such as the ability to authenticate the client, and the transmission
of the access token directly to the client without passing it through
the resource owner's user-agent, potentially exposing it to others,
including the resource owner.

The auth code grant type is used by all Google services, and would be awesome to have in this project.

If I don't get around to writing this addition, hopefully someone else will, and work on it!

It seems to me that for permanent expiration dates the following method is not setting the expiration date correctly ...

[credential setRefreshToken:refreshToken expiration:[NSDate dateWithTimeIntervalSinceNow:[[responseObject valueForKey:@"expires_in"] integerValue]]];

It's working when changing the integerValue call to doubleValue aka NSTimeInterval

Following [self setAuthorizationHeaderWithCredential:credential]; if the server invalidates the token, another call to authenticate will cause a failure from the server due to trying to use the credential token to auth.

In addition to adding Basic Auth, I think [self setAuthorizationHeaderWithCredential:credential]; should be removed (the docs clearly stated that the client should be used standalone and credentials transferred to a subclass of AFHTTPClient) OR [self setAuthorizationHeaderWithUsername:self.clientID password:self.secret]; should be called before every auth attempt.

I believe this did not cause issue previously as the clientID and secret were being sent in the form data of the auth request and the server was happy to accept this and ignore the authorization header field. Now I am using basic auth there is a conflict in the auth header being set.

I'd like to be able to test how soon a credential will expire - not just if it has expired. This can easily be done if expiration is exposed publicly as a readonly property on AFOAuthCredential by adding

@Property (readonly, nonatomic) NSDate *expiration;

to the AFOAuthCredential interface in AFOAuth2Client.h.

Thanks,

M.

Found via Facebook's Infer tool:

ios/thirdparty/AFOAuth2Manager/AFOAuth2Manager.m:374: error: MEMORY_LEAK

memory dynamically allocated to updateDictionary by call to dictionary at line 365, column 45 is not reachable after line 376, column 9

I tried reporting this via email but got no response

According to http://tools.ietf.org/html/rfc6749#section-5.2 in the case of error response "authorization server responds with an HTTP 400 (Bad Request) status code (unless specified otherwise)" ("server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported"), but in fact much of OAuth 2 servers responds with HTTP 200.

Please add parsing error also in failure block.

After update cocoapods to version 0.36 and use Framework. I found that AFOauth2Manager cannot import AFNetworking library to use in code. Xcode show error in AFOauth2Manager code where import AFNetworking code.

Upon trying to update my project to use AFNetworking in CocoaPods I was greeted with:

'[!] Unable to satisfy the following requirements:

• AFNetworking/NSURLConnection (~> 2.2) required by AFOAuth2Manager (2.1.0)
• AFNetworking (~> 3.0) required by Podfile
• AFNetworking (~> 2.2) required by AFOAuth2Manager (2.0.0)

Specs satisfying the AFNetworking/NSURLConnection (~> 2.2) dependency were found, but they required a higher minimum deployment target.'

Any plans to update it?

I'm not entirely sure what's going on but since one of the last updates I keep getting this during the build of AFOAuth2Client:

/Users/kain/src/myproj/Pods/AFNetworking/AFNetworking/AFHTTPClient.h:84:9: SystemConfiguration framework not found in project, or not included in precompiled header. Network reachability functionality will not be available.

/Users/kain/src/myproj/Pods/AFNetworking/AFNetworking/AFHTTPClient.h:89:9: MobileCoreServices framework not found in project, or not included in precompiled header. Automatic MIME type detection when uploading files in multipart requests will not be available.

Using latest cocoapods. http://d.pr/i/s5D1
I cannot figure out why, it happens during the AFHTTPClient.h import in AFOAuth2Client.

project pch

#ifdef __OBJC__
#import <UIKit/UIKit.h>
#import <Foundation/Foundation.h>
#import <SystemConfiguration/SystemConfiguration.h>
#import <MobileCoreServices/MobileCoreServices.h>
...
#endif

Podfile

platform :ios, '6.0'
pod 'AFNetworking', git: 'git://github.com/AFNetworking/AFNetworking.git'
pod 'AFOAuth2Client', git: 'git://github.com/AFNetworking/AFOAuth2Client.git'
...

Seems like issue connected with this CocoaPods issue

UPD: solved it. Can't make a pull request.

The spec states this is as REQUIRED here:
https://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-4.1.1

In fact, I'm unsure how to use the library for this grant type at all (to get the returned 'code') as the success block seems to be predicated on receiving access tokens rather than the code.

I'm currently writing an Imgur API based on AFNetworking and the AFOAuth2Client extension but I'm stuck on a point: the base URL differs between the OAuth access and the general access. For OAuth, the base URL is https://api.imgur.com/oauth2/ while it's https://api.imgur.com/3/ or https://imgur-apiv3.p.mashape.com/ for all the others request.

I didn't find how to handle this particularity, is there any solution without rewriting the library?

From what I can see, it doesn't.

I'm using AFOAuth1 for connecting to Flickr and 500px, but I was hoping I could use the similar AFOAuth2 for connecting with Instagram.

I'm hitting an OAuth endpoint that does not return an expiration. According to the oath draft, expirations are not required. The server I'm hitting only returns access_token and token_type.

I think this may be related to #66 and this commit: ff106e1

asserting that expires_in is defined contradicts the spec, no?

(talking about the 3.0.0. branch here)

When using setAuthorizationHeaderFieldWithCredential: the library produces the following header field

Authorization = "Basic <wrong token here>";

To my knowledge, it should be
Authorization = "Bearer <token here>";

Also, the token in the 'Basic' case is NOT the access token stored in the AFOAuthCredential for given provider identifier.

When setting the Authorization header myself with the bearer keyword and my valid access token the call works.

According to http://tools.ietf.org/html/rfc6749#section-8.2 (or even to http://tools.ietf.org/html/rfc6749#section-5.1 example) token response may include additional parameters.
Some services are added "user_id" parameter. Those API does not provide any methods to get "user_id" by "access_token".

It would be nice to keep additional parameters in the store.

I am using cocoapods to install AFNetworking and your extension. When trying to compile I am getting the error that it can't find AFJsonRequestOperation.h. It is not clear where this dependency is or if another pod or extension should be installed. Can you advise?

It's not uncommon to include additional data in a successful OAuth response. How come only the token is accessible in the success handler?

I realize this won't be easy to change for backwards compatibility reasons, but if a major version is coming up, it would be nice to have the block signatures (mostly) match all the standard AFNetworking ones by simply adding the AFHTTPRequestOperation *operation parameter in front. While the second argument to success would still be AFOAuthCredential, the developer can choose to extract extra parameters from the AFHTTPRequestOperation instance's responseObject property.

In the meantime, perhaps something could be done to support accessing the additional parameters?

Create a method to return an authorization NSURLRequest given the path, response type (code or token), redirect URI, and scope. The returned NSURLRequest can be loaded into an UIWebView to commence authorization.

NSString *identifier = @"id.entif.ier";
[AFOAuthCredential storeCredential:credential withIdentifier:identifier];
AFOAuthCredential *credential = [AFOAuthCredential retrieveCredentialWithIdentifier:identifier];

iOS 7: credential != nil, iOS 8: credential == nil

i've brought this up before:

Including the client credentials in the request body using the two
parameters is NOT RECOMMENDED, and SHOULD be limited to clients
unable to directly utilize the HTTP Basic authentication scheme (or
other password-based HTTP authentication schemes). The parameters
can only be transmitted in the request body and MUST NOT be included
in the request URI.

AFNetworking already supports basic auth headers so this shouldn't be hard to change.

Hello,

In AFHTTPRequestSerializer+OAuth2.h and AFOAuth2Manager.h, I suggest you change

#import <AFNetworking/...h>

to:

#import <AFNetworking.h>

for increased compatibility. They currently result in an error if include paths aren't set to include system paths, which is important to many developers.

Thanks,
Drew

According RFC 6749 expires_in parameter has status "RECOMMENDED":
If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value.

Server may not transmit this parameter and we must provide it manually (by adding "defaultLifetime" property in AFOAuth2Client?)

Adding AFOAuth1Client and AFOAuth2Client via CocoaPods. XCode generating Expected a type error on method:

+ (BOOL)storeCredential:(AFOAuth1Token *)credential
         withIdentifier:(NSString *)identifier

In the ReadMe Usage example , the scope: is not stated as it should be
If I use authenticateUsingOAuthWithPath wo the scope parameter I get a warning
-authenticateUsingOAuthWithPath instance method not found

what's should be the scope value to be supplied ?

Hey, i have encountered linker errors that I couldn't understand. I tried another library trying to get it work, i built the project without last step, which was adding Security.framework as a build dependency. (https://github.com/nxtbgthng/OAuth2Client)

I saw the same errors starting with sec... sec... then i realized it was a dependency for this project, too. Maybe you can add this to project's readme file? :)

As per general AFNetworking methods, in the failure method, both AFHTTPRequestOperation and NSError should be return.

ie. failure:^(AFHTTPRequestOperation *operation, NSError *error)..

Xcode 6.3 throws warning "Comparison of address of 'kSecAttrAccessibleWhenUnlocked' not equal to a null pointer is always true" for line 348 in AFOauth2Manager.m.

Is it please possible to remove the NSLogs in the AFOAuth2Mangaer.m ?
It logs the identifier of the keychain entry. This can be used by other apps to get the credentials.

Regards David

Ammm... Add .gitignore=)

According http://tools.ietf.org/html/rfc6750#section-2 Bearer token may be used in three different ways:

• as "Authorization Request Header Field"
• as "Form-Encoded Body Parameter"
• as "URI Query Parameter"

But in authenticateUsingOAuthWithPath:parameters:success:failure: hardcoded "Authorization Request Header Field" way.

Many services often use of the token in the query parameters ("Form-Encoded Body Parameter" or "URI Query Parameter"), and not in the query headers (e.g. VKontakte).

I think that better solution would be remove [self setAuthorizationHeaderWithCredential:credential]; and allow the developer to choose what he want to use. I think this is a more flexible solution.

This class will be super class for developers' purposes. As for me, I make subclass and override requestWithMethod:path:parameters: and multipartFormRequestWithMethod:path:parameters:constructingBodyWithBlock: methods to add "access_token" (bearer token) parameter.

Currently if the token expires - no check is made before to make sure the token is not expired.

It should check for expiration before making the request - if expired - use refresh token to get a fresh access token.

• Note - I am not sure if this is how it should work. e.g. It could be left up to the developer to check before each call is made using AFOAuth2 but would be useful if this was handled by the framework.

As per 4.4 - you receive an access token, an expiration but no refresh token. Currently this causes an assert due to a call to:

[credential setRefreshToken:nil expiration:nil]

I am using OAuth1 to authorise API and get access token.
When I call POST method it give me "oauth_problem=signature_invalid".

 NSMutableURLRequest *request = [self.myClient requestWithMethod:@"POST" path:apiURL parameters:jsonObj];
    NSDictionary *dict = @{ @"Content-Type":@"application/json",@"Accept":@"*/*"};

    [request setAllHTTPHeaderFields:dict];
    [request setHTTPShouldHandleCookies:true];

 AFJSONRequestOperation *jsonOperation = [AFJSONRequestOperation JSONRequestOperationWithRequest:request success:^(NSURLRequest *request, NSHTTPURLResponse *response, id JSON) {
     NSLog(@"Success: %@", JSON);

     } failure:^(NSURLRequest *request, NSHTTPURLResponse *response, NSError *error, id JSON) {
         NSLog(@"Header: %@",[request allHTTPHeaderFields]);
     NSLog(@"Error: %@", error);
     }];

     [jsonOperation start];

Please help me.

AFNetworking is now 2.0 and it should be a good idea to update the Podfile.

In c48e23b, +[AFOAuthCredential storeCredential:withIdentifier:]'s first argument changed from an AFOAuthCredential to an AFOAuth1Token, which is a class from AFOAuth1Client and is not used in this project.

Your best practice guide for iOS 8 indicates that AFHTTPSessionManager is the way to go. Do yo have a working example of AFOAuth2Manager working with AFHTTPSessionManager?

With newest version of AFOAuth2Client I'm geting erron during compilation under Xcode 5 for iOS7

NSNull instances should be removed from the returned JSON, so that they are properly treated as nil values.

According to "Implicit Grant. Access Token Response" expires_in parameter can be get without refresh_token parameter. It displays access_token life time. When access_token expired it can be removed.

For such type of credential would be better to add "canBeRefreshed" or "canBeExtended" property.

Client credentials does not return a refresh token or expiration. This causes an assert in:

- (void)setRefreshToken:(NSString *)refreshToken
             expiration:(NSDate *)expiration

I just don't get why is it so hard to write a usual Installation topic.

For anyone who just don't-know-what-the-hell-you-need-to-do-to-install-this-extension just add it to your Podfile as pod "AFOAuth2Manager" and make sure you have #import "AFOAuth2Manager.h" line in your header file

And please don't write it in documentation, newbies must squirm in agony and die!

I managed to bump into this problem while simulating blacklisted connections.

I could be mistaken, but shouldn't the expiration be set regardless the refresh token - as long as expires_in is present?

It seems a recent change 7340904 / cfdf599 made use of the expiration conditional on a refresh token being present, which isn't always the case. See also #71. The expiration and refresh_token should be considered separately, not together in an all-or-nothing fashion,

When requesting a client_credentials grant, I receive an access token with a limited lifetime (e.g., 1 second for testing, below), but the AFOAuthCredential will always tell you the token has not expired.

{
    "access_token": "0c06a430f3f649837f412a011cf19a0e93bd41a075cc45876db601070d862ec4",
    "token_type": "bearer",
    "expires_in": 1,
    "scope": "public"
}