-
Notifications
You must be signed in to change notification settings - Fork 837
Expand file tree
/
Copy pathOIDError.h
More file actions
401 lines (330 loc) · 16.3 KB
/
OIDError.h
File metadata and controls
401 lines (330 loc) · 16.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
/*! @file OIDError.h
@brief AppAuth iOS SDK
@copyright
Copyright 2015 Google Inc. All Rights Reserved.
@copydetails
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#import <Foundation/Foundation.h>
NS_ASSUME_NONNULL_BEGIN
/*! @brief The error domain for all NSErrors returned from the AppAuth library.
*/
extern NSString *const OIDGeneralErrorDomain;
/*! @brief The error domain for OAuth specific errors on the authorization endpoint.
@discussion This error domain is used when the server responds to an authorization request
with an explicit OAuth error, as defined by RFC6749 Section 4.1.2.1. If the authorization
response is invalid and not explicitly an error response, another error domain will be used.
The error response parameter dictionary is available in the
\NSError_userInfo dictionary using the @c ::OIDOAuthErrorResponseErrorKey key.
The \NSError_code will be one of the @c ::OIDErrorCodeOAuthAuthorization enum values.
@see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
*/
extern NSString *const OIDOAuthAuthorizationErrorDomain;
/*! @brief The error domain for OAuth specific errors on the token endpoint.
@discussion This error domain is used when the server responds with HTTP 400 and an OAuth error,
as defined RFC6749 Section 5.2. If an HTTP 400 response does not parse as an OAuth error
(i.e. no 'error' field is present or the JSON is invalid), another error domain will be
used. The entire OAuth error response dictionary is available in the \NSError_userInfo
dictionary using the @c ::OIDOAuthErrorResponseErrorKey key. Unlike transient network
errors, errors in this domain invalidate the authentication state, and either indicate a
client error or require user interaction (i.e. reauthentication) to resolve.
The \NSError_code will be one of the @c ::OIDErrorCodeOAuthToken enum values.
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
extern NSString *const OIDOAuthTokenErrorDomain;
/*! @brief The error domain for dynamic client registration errors.
@discussion This error domain is used when the server responds with HTTP 400 and an OAuth error,
as defined in OpenID Connect Dynamic Client Registration 1.0 Section 3.3. If an HTTP 400
response does not parse as an OAuth error (i.e. no 'error' field is present or the JSON is
invalid), another error domain will be used. The entire OAuth error response dictionary is
available in the \NSError_userInfo dictionary using the @c ::OIDOAuthErrorResponseErrorKey
key. Unlike transient network errors, errors in this domain invalidate the authentication
state, and indicates a client error.
The \NSError_code will be one of the @c ::OIDErrorCodeOAuthToken enum values.
@see https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationError
*/
extern NSString *const OIDOAuthRegistrationErrorDomain;
/*! @brief The error domain for authorization errors encountered out of band on the resource server.
*/
extern NSString *const OIDResourceServerAuthorizationErrorDomain;
/*! @brief An error domain representing received HTTP errors.
*/
extern NSString *const OIDHTTPErrorDomain;
/*! @brief An error key for the original OAuth error response (if any).
*/
extern NSString *const OIDOAuthErrorResponseErrorKey;
/*! @brief An error key used to access the HTTP response headers from a failed AppAuth request.
@discussion When an AppAuth request fails due to a non-2xx HTTP response, the server's
response headers are attached to the returned NSError's `userInfo` dictionary under this key.
The value is an NSDictionary<NSString *, id>, matching the structure of
NSHTTPURLResponse.allHeaderFields.
*/
extern NSString *const OIDHTTPResponseHeadersKey;
/*! @brief The key of the 'error' response field in a RFC6749 Section 5.2 response.
@remark error
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
extern NSString *const OIDOAuthErrorFieldError;
/*! @brief The key of the 'error_description' response field in a RFC6749 Section 5.2 response.
@remark error_description
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
extern NSString *const OIDOAuthErrorFieldErrorDescription;
/*! @brief The key of the 'error_uri' response field in a RFC6749 Section 5.2 response.
@remark error_uri
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
extern NSString *const OIDOAuthErrorFieldErrorURI;
/*! @brief The various error codes returned from the AppAuth library.
*/
typedef NS_ENUM(NSInteger, OIDErrorCode) {
/*! @brief Indicates a problem parsing an OpenID Connect Service Discovery document.
*/
OIDErrorCodeInvalidDiscoveryDocument = -2,
/*! @brief Indicates the user manually canceled the OAuth authorization code flow.
*/
OIDErrorCodeUserCanceledAuthorizationFlow = -3,
/*! @brief Indicates an OAuth authorization flow was programmatically cancelled.
*/
OIDErrorCodeProgramCanceledAuthorizationFlow = -4,
/*! @brief Indicates a network error or server error occurred.
*/
OIDErrorCodeNetworkError = -5,
/*! @brief Indicates a server error occurred.
*/
OIDErrorCodeServerError = -6,
/*! @brief Indicates a problem occurred deserializing the response/JSON.
*/
OIDErrorCodeJSONDeserializationError = -7,
/*! @brief Indicates a problem occurred constructing the token response from the JSON.
*/
OIDErrorCodeTokenResponseConstructionError = -8,
/*! @brief @c UIApplication.openURL: returned NO when attempting to open the authorization
request in mobile Safari.
*/
OIDErrorCodeSafariOpenError = -9,
/*! @brief @c NSWorkspace.openURL returned NO when attempting to open the authorization
request in the default browser.
*/
OIDErrorCodeBrowserOpenError = -10,
/*! @brief Indicates a problem when trying to refresh the tokens.
*/
OIDErrorCodeTokenRefreshError = -11,
/*! @brief Indicates a problem occurred constructing the registration response from the JSON.
*/
OIDErrorCodeRegistrationResponseConstructionError = -12,
/*! @brief Indicates a problem occurred deserializing the response/JSON.
*/
OIDErrorCodeJSONSerializationError = -13,
/*! @brief The ID Token did not parse.
*/
OIDErrorCodeIDTokenParsingError = -14,
/*! @brief The ID Token did not pass validation (e.g. issuer, audience checks).
*/
OIDErrorCodeIDTokenFailedValidationError = -15,
};
/*! @brief Enum of all possible OAuth error codes as defined by RFC6749
@discussion Used by @c ::OIDErrorCodeOAuthAuthorization and @c ::OIDErrorCodeOAuthToken
which define endpoint-specific subsets of OAuth codes. Those enum types are down-castable
to this one.
@see https://tools.ietf.org/html/rfc6749#section-11.4
@see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
typedef NS_ENUM(NSInteger, OIDErrorCodeOAuth) {
/*! @remarks invalid_request
@see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
OIDErrorCodeOAuthInvalidRequest = -2,
/*! @remarks unauthorized_client
@see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
OIDErrorCodeOAuthUnauthorizedClient = -3,
/*! @remarks access_denied
@see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
*/
OIDErrorCodeOAuthAccessDenied = -4,
/*! @remarks unsupported_response_type
@see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
*/
OIDErrorCodeOAuthUnsupportedResponseType = -5,
/*! @remarks invalid_scope
@see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
OIDErrorCodeOAuthInvalidScope = -6,
/*! @remarks server_error
@see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
*/
OIDErrorCodeOAuthServerError = -7,
/*! @remarks temporarily_unavailable
@see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
*/
OIDErrorCodeOAuthTemporarilyUnavailable = -8,
/*! @remarks invalid_client
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
OIDErrorCodeOAuthInvalidClient = -9,
/*! @remarks invalid_grant
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
OIDErrorCodeOAuthInvalidGrant = -10,
/*! @remarks unsupported_grant_type
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
OIDErrorCodeOAuthUnsupportedGrantType = -11,
/*! @remarks invalid_redirect_uri
@see https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationError
*/
OIDErrorCodeOAuthInvalidRedirectURI = -12,
/*! @remarks invalid_client_metadata
@see https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationError
*/
OIDErrorCodeOAuthInvalidClientMetadata = -13,
/*! @brief An authorization error occurring on the client rather than the server. For example,
due to a state mismatch or misconfiguration. Should be treated as an unrecoverable
authorization error.
*/
OIDErrorCodeOAuthClientError = -0xEFFF,
/*! @brief An OAuth error not known to this library
@discussion Indicates an OAuth error as per RFC6749, but the error code was not in our
list. It could be a custom error code, or one from an OAuth extension. See the "error" key
of the \NSError_userInfo property. Such errors are assumed to invalidate the
authentication state
*/
OIDErrorCodeOAuthOther = -0xF000,
};
/*! @brief The error codes for the @c ::OIDOAuthAuthorizationErrorDomain error domain
@see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
*/
typedef NS_ENUM(NSInteger, OIDErrorCodeOAuthAuthorization) {
/*! @remarks invalid_request
@see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
*/
OIDErrorCodeOAuthAuthorizationInvalidRequest = OIDErrorCodeOAuthInvalidRequest,
/*! @remarks unauthorized_client
@see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
*/
OIDErrorCodeOAuthAuthorizationUnauthorizedClient = OIDErrorCodeOAuthUnauthorizedClient,
/*! @remarks access_denied
@see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
*/
OIDErrorCodeOAuthAuthorizationAccessDenied =
OIDErrorCodeOAuthAccessDenied,
/*! @remarks unsupported_response_type
@see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
*/
OIDErrorCodeOAuthAuthorizationUnsupportedResponseType =
OIDErrorCodeOAuthUnsupportedResponseType,
/*! @brief Indicates a network error or server error occurred.
@remarks invalid_scope
@see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
*/
OIDErrorCodeOAuthAuthorizationAuthorizationInvalidScope = OIDErrorCodeOAuthInvalidScope,
/*! @brief Indicates a server error occurred.
@remarks server_error
@see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
*/
OIDErrorCodeOAuthAuthorizationServerError = OIDErrorCodeOAuthServerError,
/*! @remarks temporarily_unavailable
@see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
*/
OIDErrorCodeOAuthAuthorizationTemporarilyUnavailable = OIDErrorCodeOAuthTemporarilyUnavailable,
/*! @brief An authorization error occurring on the client rather than the server. For example,
due to a state mismatch or client misconfiguration. Should be treated as an unrecoverable
authorization error.
*/
OIDErrorCodeOAuthAuthorizationClientError = OIDErrorCodeOAuthClientError,
/*! @brief An authorization OAuth error not known to this library
@discussion this indicates an OAuth error as per RFC6749, but the error code was not in our
list. It could be a custom error code, or one from an OAuth extension. See the "error" key
of the \NSError_userInfo property. We assume such errors are not transient.
@see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
*/
OIDErrorCodeOAuthAuthorizationOther = OIDErrorCodeOAuthOther,
};
/*! @brief The error codes for the @c ::OIDOAuthTokenErrorDomain error domain
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
typedef NS_ENUM(NSInteger, OIDErrorCodeOAuthToken) {
/*! @remarks invalid_request
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
OIDErrorCodeOAuthTokenInvalidRequest = OIDErrorCodeOAuthInvalidRequest,
/*! @remarks invalid_client
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
OIDErrorCodeOAuthTokenInvalidClient = OIDErrorCodeOAuthInvalidClient,
/*! @remarks invalid_grant
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
OIDErrorCodeOAuthTokenInvalidGrant = OIDErrorCodeOAuthInvalidGrant,
/*! @remarks unauthorized_client
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
OIDErrorCodeOAuthTokenUnauthorizedClient = OIDErrorCodeOAuthUnauthorizedClient,
/*! @remarks unsupported_grant_type
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
OIDErrorCodeOAuthTokenUnsupportedGrantType = OIDErrorCodeOAuthUnsupportedGrantType,
/*! @remarks invalid_scope
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
OIDErrorCodeOAuthTokenInvalidScope = OIDErrorCodeOAuthInvalidScope,
/*! @brief An unrecoverable token error occurring on the client rather than the server.
*/
OIDErrorCodeOAuthTokenClientError = OIDErrorCodeOAuthClientError,
/*! @brief A token endpoint OAuth error not known to this library
@discussion this indicates an OAuth error as per RFC6749, but the error code was not in our
list. It could be a custom error code, or one from an OAuth extension. See the "error" key
of the \NSError_userInfo property. We assume such errors are not transient.
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
OIDErrorCodeOAuthTokenOther = OIDErrorCodeOAuthOther,
};
/*! @brief The error codes for the @c ::OIDOAuthRegistrationErrorDomain error domain
@see https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationError
*/
typedef NS_ENUM(NSInteger, OIDErrorCodeOAuthRegistration) {
/*! @remarks invalid_request
@see http://tools.ietf.org/html/rfc6750#section-3.1
*/
OIDErrorCodeOAuthRegistrationInvalidRequest = OIDErrorCodeOAuthInvalidRequest,
/*! @remarks invalid_redirect_uri
@see https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationError
*/
OIDErrorCodeOAuthRegistrationInvalidRedirectURI = OIDErrorCodeOAuthInvalidRedirectURI,
/*! @remarks invalid_client_metadata
@see https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationError
*/
OIDErrorCodeOAuthRegistrationInvalidClientMetadata = OIDErrorCodeOAuthInvalidClientMetadata,
/*! @brief An unrecoverable token error occurring on the client rather than the server.
*/
OIDErrorCodeOAuthRegistrationClientError = OIDErrorCodeOAuthClientError,
/*! @brief A registration endpoint OAuth error not known to this library
@discussion this indicates an OAuth error, but the error code was not in our
list. It could be a custom error code, or one from an OAuth extension. See the "error" key
of the \NSError_userInfo property. We assume such errors are not transient.
@see https://tools.ietf.org/html/rfc6749#section-5.2
*/
OIDErrorCodeOAuthRegistrationOther = OIDErrorCodeOAuthOther,
};
/*! @brief The exception text for the exception which occurs when a
@c OIDExternalUserAgentSession receives a message after it has already completed.
*/
extern NSString *const OIDOAuthExceptionInvalidAuthorizationFlow;
/*! @brief The text for the exception which occurs when a Token Request is constructed
with a null redirectURL for a grant_type that requires a nonnull Redirect
*/
extern NSString *const OIDOAuthExceptionInvalidTokenRequestNullRedirectURL;
NS_ASSUME_NONNULL_END