Giter Site home page Giter Site logo

Comments (9)

Widcket avatar Widcket commented on July 3, 2024

Hi @ellneal, thanks for raising this.

The code credentials grant is already supported through dedicated methods for logging in with username/password (e.g. this one). Do these methods address your use case? If not, could you please provide more information about your use case?

from auth0.swift.

ellneal avatar ellneal commented on July 3, 2024

I'm using the client_credentials grant (with an audience and a client_secret). I can't find any explicit method that supports this unless I'm mistaken?

from auth0.swift.

Widcket avatar Widcket commented on July 3, 2024

Mobile apps are considered public clients, so there is no need to provide a client_secret (it can be easily retrieved from the app binary).

from auth0.swift.

Widcket avatar Widcket commented on July 3, 2024

So you can use https://auth0.github.io/Auth0.swift/documentation/auth0/authentication/login(usernameoremail:password:realmorconnection:audience:scope:)-5yc0w/ for this.

from auth0.swift.

ellneal avatar ellneal commented on July 3, 2024

Our use case here is complicated, but rest assured that we are not storing a secret in the app binary. However, we do still need to use the client_credentials grant, and I would argue that since it's a function supported by the Auth0 API, it should be possible to call it from the Auth0 Swift SDK without resorting to hacks.

This is how I built the request using the v1 SDK.

let authentication = Auth0.authentication(clientId: theClientId, domain: theDomain)
let request = authentication.tokenExchange(withParameters: [
    "grant_type": "client_credentials",
    "audience": theAudience,
    "client_secret": theClientSecretThatIsNotHardcodedIntoTheBinarySoYouNeedNotWorry
])

And this is how I currently have to achieve the same result with the v2 SDK:

extension Auth0.Authentication {
    func clientCredentials(audience: String, secret: String) -> Request<Credentials, AuthenticationError> {
        codeExchange(withCode: "", codeVerifier: "", redirectURI: "")
            .parameters([
                "code": nil,
                "code_verifier": nil,
                "redirect_uri": nil,
                "grant_type": "client_credentials",
                "audience": audience,
                "client_secret": secret
            ] as [String: Any?] as [String: Any])
    }
}

from auth0.swift.

Widcket avatar Widcket commented on July 3, 2024

However, we do still need to use the client_credentials grant, and I would argue that since it's a function supported by the Auth0 API, it should be possible to call it from the Auth0 Swift SDK without resorting to hacks.

Not all grants are supported for all application types. The client credentials grant is not supported for public clients. Mobile applications are public clients, so it is not supported by our mobile SDKs: https://auth0.com/docs/get-started/applications/application-grant-types#public-applications

Screenshot 2023-09-25 at 4 59 33 PM

from auth0.swift.

ellneal avatar ellneal commented on July 3, 2024

Our use case also isn't a public application, but thanks for your assistance anyway.

from auth0.swift.

Widcket avatar Widcket commented on July 3, 2024

Could you please expand on more detail why you need the client credentials grant in particular?

from auth0.swift.

ellneal avatar ellneal commented on July 3, 2024

We're using it as an interim solution for device authentication because the Auth0 device flow does not yet support multiple organisations.

I'm not advocating for the client credentials grant to have an explicit method added as I understand that your goal is to discourage use of that where it's a potential security risk. Hence my feature request is for the token() function (or even just the Request initialisers) to be made public so that we can build our own parameter sets when calling /oauth/token.

from auth0.swift.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.