feat: Add support for fetching rich consents (#139)

* Fix flakey JWT test

* Adds implementation of Consent API client for retrieving rich-consents for CIBA flow

* Add failure case test to ConsentSpec

* Small changes to align with Android SDK implementation

* Add README section for fetching consent

* Code review (#140)

* Code review

* removed context path manipulation

* Tests fixed

* Changed method signature to correct

---------

Co-authored-by: Ionut Manolache <[email protected]>

* backward compatibility with guardian domains

---------

Co-authored-by: Artem Bakanov <[email protected]>
Co-authored-by: Ionut Manolache <[email protected]>

Author: 3 people

Guardian.xcodeproj/project.pbxproj

@@ -98,6 +98,9 @@
 		5FAE6729210250E300F149A3 /* AsymmetricPublicKey.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5FAE6728210250E300F149A3 /* AsymmetricPublicKey.swift */; };
 		5FF42BA521091AD10082459F /* NetworkOperation.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5FF42BA421091AD10082459F /* NetworkOperation.swift */; };
 		5FF42BA821091F150082459F /* NetworkOperationSpec.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5FF42BA721091F150082459F /* NetworkOperationSpec.swift */; };
+		AB58F6102CF9EE4A00E642F6 /* ConsentAPI.swift in Sources */ = {isa = PBXBuildFile; fileRef = AB58F60E2CF9EE4A00E642F6 /* ConsentAPI.swift */; };
+		AB58F6112CF9EE4A00E642F6 /* ConsentAPIClient.swift in Sources */ = {isa = PBXBuildFile; fileRef = AB58F60F2CF9EE4A00E642F6 /* ConsentAPIClient.swift */; };
+		AB9381852D03359700C47B1E /* ConsentSpec.swift in Sources */ = {isa = PBXBuildFile; fileRef = AB9381842D03359700C47B1E /* ConsentSpec.swift */; };
 		ED1E39A52B7E6C1300E8609A /* MockURLProtocol.swift in Sources */ = {isa = PBXBuildFile; fileRef = ED1E39A42B7E6C1300E8609A /* MockURLProtocol.swift */; };
 		ED1E39A72B822A2500E8609A /* MockURLResponse.swift in Sources */ = {isa = PBXBuildFile; fileRef = ED1E39A62B822A2500E8609A /* MockURLResponse.swift */; };
 		ED1E39A92B82A9B100E8609A /* MockURLProtocolCondition.swift in Sources */ = {isa = PBXBuildFile; fileRef = ED1E39A82B82A9B100E8609A /* MockURLProtocolCondition.swift */; };
@@ -254,6 +257,9 @@
 		5FAE6728210250E300F149A3 /* AsymmetricPublicKey.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AsymmetricPublicKey.swift; sourceTree = "<group>"; };
 		5FF42BA421091AD10082459F /* NetworkOperation.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = NetworkOperation.swift; sourceTree = "<group>"; };
 		5FF42BA721091F150082459F /* NetworkOperationSpec.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = NetworkOperationSpec.swift; sourceTree = "<group>"; };
+		AB58F60E2CF9EE4A00E642F6 /* ConsentAPI.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ConsentAPI.swift; sourceTree = "<group>"; };
+		AB58F60F2CF9EE4A00E642F6 /* ConsentAPIClient.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ConsentAPIClient.swift; sourceTree = "<group>"; };
+		AB9381842D03359700C47B1E /* ConsentSpec.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ConsentSpec.swift; sourceTree = "<group>"; };
 		ED1E39A42B7E6C1300E8609A /* MockURLProtocol.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MockURLProtocol.swift; sourceTree = "<group>"; };
 		ED1E39A62B822A2500E8609A /* MockURLResponse.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MockURLResponse.swift; sourceTree = "<group>"; };
 		ED1E39A82B82A9B100E8609A /* MockURLProtocolCondition.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MockURLProtocolCondition.swift; sourceTree = "<group>"; };
@@ -419,6 +425,8 @@
 			children = (
 				2377A6421D806DFA00D6FB04 /* API.swift */,
 				2374A9E01D670F5900737F2E /* APIClient.swift */,
+				AB58F60E2CF9EE4A00E642F6 /* ConsentAPI.swift */,
+				AB58F60F2CF9EE4A00E642F6 /* ConsentAPIClient.swift */,
 				2377A6401D806D9900D6FB04 /* DeviceAPI.swift */,
 				232A85D91D6BDFCA00048DF7 /* DeviceAPIClient.swift */,
 				5F07A58E210A6E5900819FA2 /* NoContent.swift */,
@@ -500,6 +508,7 @@
 				2356C82F1D88A10600B6C84A /* GuardianSpec.swift */,
 				23D3E43F1D91BEA200F3FDE2 /* Base32Spec.swift */,
 				233F75281D93076600B8C15C /* NotificationSpec.swift */,
+				AB9381842D03359700C47B1E /* ConsentSpec.swift */,
 				5F1DB45C1DA4750F00264437 /* AuthenticationSpec.swift */,
 				2331BFEC1DD52ED50047F1D4 /* JWTSpec.swift */,
 			);
@@ -756,6 +765,8 @@
 				5F07A5AA210FAF9600819FA2 /* JWT.swift in Sources */,
 				5F07A58D210A6DF000819FA2 /* CodableAdditions.swift in Sources */,
 				5F07A58521092C7D00819FA2 /* ClientInfo.swift in Sources */,
+				AB58F6102CF9EE4A00E642F6 /* ConsentAPI.swift in Sources */,
+				AB58F6112CF9EE4A00E642F6 /* ConsentAPIClient.swift in Sources */,
 				5F07A599210F6D1900819FA2 /* Operation.swift in Sources */,
 				5F1604C721063FA000B0F25B /* Keys+Generation.swift in Sources */,
 				2331C01A1DD5FC6F0047F1D4 /* Data+Base64URL.swift in Sources */,
@@ -790,6 +801,7 @@
 				2356C8301D88A10600B6C84A /* GuardianSpec.swift in Sources */,
 				2374A9F51D67339E00737F2E /* Matchers.swift in Sources */,
 				23C67AEC1D81D6A400A38A2E /* MockNSURLSession.swift in Sources */,
+				AB9381852D03359700C47B1E /* ConsentSpec.swift in Sources */,
 				5F1604FB2107AF2800B0F25B /* OneTimePasswordGeneratorSpec.swift in Sources */,
 				ED1E39A92B82A9B100E8609A /* MockURLProtocolCondition.swift in Sources */,
 				5F1604C92106493600B0F25B /* SigningKeyStorageSpec.swift in Sources */,

Guardian/API/APIClient.swift

@@ -23,17 +23,17 @@
 import Foundation
 
 struct APIClient: API {
-
+    private let path = "appliance-mfa"
     let baseUrl: URL
     let telemetryInfo: Auth0TelemetryInfo?
 
     init(baseUrl: URL, telemetryInfo: Auth0TelemetryInfo? = nil) {
-        self.baseUrl = baseUrl
+        self.baseUrl = baseUrl.appendingPathComponentIfNeeded(path)
         self.telemetryInfo = telemetryInfo
     }
 
     func enroll(withTicket enrollmentTicket: String, identifier: String, name: String, notificationToken: String, verificationKey: VerificationKey) -> Request<Device, Enrollment> {
-        let url = self.baseUrl.appendingPathComponent("api/enroll")
+        let url = baseUrl.appendingPathComponent("api/enroll")
         do {
             let headers = ["Authorization": "Ticket id=\"\(enrollmentTicket)\""]
             guard let jwk = verificationKey.jwk else {
@@ -50,7 +50,7 @@ struct APIClient: API {
 
     func resolve(transaction transactionToken: String, withChallengeResponse challengeResponse: String) -> Request<Transaction, NoContent> {
         let transaction = Transaction(challengeResponse: challengeResponse)
-        let url = self.baseUrl.appendingPathComponent("api/resolve-transaction")
+        let url = baseUrl.appendingPathComponent("api/resolve-transaction")
         return Request.new(method: .post, url: url, headers: ["Authorization": "Bearer \(transactionToken)"], body: transaction, telemetryInfo: self.telemetryInfo)
     }
 
@@ -64,7 +64,7 @@ struct APIClient: API {
         let claims = BasicClaimSet(
             subject: userId,
             issuer: enrollmentId,
-            audience: self.baseUrl.appendingPathComponent(DeviceAPIClient.path).absoluteString,
+            audience: baseUrl.appendingPathComponent(DeviceAPIClient.path).absoluteString,
             expireAt: currentTime.addingTimeInterval(responseExpiration),
             issuedAt: currentTime
         )
@@ -74,3 +74,14 @@ struct APIClient: API {
     }
 
 }
+
+private extension URL {
+    func appendingPathComponentIfNeeded(_ pathComponent: String) -> URL {
+        guard
+            lastPathComponent != pathComponent,
+            !absoluteString.hasSuffix("guardian.auth0.com"),
+            absoluteString.range(of: "guardian\\.[^\\.]*\\.auth0\\.com", options: .regularExpression) == nil
+        else { return self }
+        return appendingPathComponent(pathComponent)
+    }
+}

Guardian/API/ConsentAPI.swift

@@ -0,0 +1,60 @@
+// ConsentAPI.swift
+//
+// Copyright (c) 2024 Auth0 (http://auth0.com)
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+import Foundation
+
+/**
+ `ConsentAPI` lets you retrieve consent objects from auth0's rich-consents API for authentication flows that require additional consent e.g. Client Initiated Backchannel Authentication (CIBA)
+ 
+ ```
+ let consent = Guardian
+    .consent(forDomain: "tenant.region.auth0.com")
+ ```
+ */
+public protocol ConsentAPI {
+    /**
+     ```
+     let notification: Notification = // the notification received
+     let consentId = notification.transactionLinkingId
+     
+     Guardian
+        .consent(forDomain: "tenant.region.auth0.com")
+     .fetch(consentId: consentId, notificationToken: notification.transactionToken, signingKey: enrollment.signingKey)
+     .start { result in
+          switch result {
+          case .success(let payload):
+              // present consent object to user to accept/deny
+          case .failure(let cause):
+              // failed to retrieve consent
+          }
+     }
+     ```
+     
+     - parameter consentId: the id of the consent object to fetch, this is obtained from the
+                            transaction linking id of the ncoming push notification where relevant
+     - parameter transactionToken: the access token obtained from the incoming push notification
+     - parameter signingKey: the private key used to sign Guardian AuthN requests
+                                    
+     - returns: a request to execute
+     */
+    func fetch(consentId: String, transactionToken: String, signingKey: SigningKey) -> Request<NoContent, Consent>
+}

Guardian/API/ConsentAPIClient.swift

@@ -0,0 +1,84 @@
+// ConsentAPIClient.swift
+//
+// Copyright (c) 2024 Auth0 (http://auth0.com)
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+import Foundation
+import CryptoKit
+
+struct ConsentAPIClient : ConsentAPI {
+    private let path: String = "rich-consents"
+    
+    let url:URL
+    let telemetryInfo: Auth0TelemetryInfo?
+    
+    init(baseConsentUrl: URL, telemetryInfo: Auth0TelemetryInfo? = nil ) {
+        let url = baseConsentUrl.appendingPathComponent(path, isDirectory: false)
+        self.url = url
+        self.telemetryInfo = telemetryInfo
+    }
+    
+    func fetch(consentId:String, transactionToken: String, signingKey: SigningKey) -> Request<NoContent, Consent> {
+        let consentURL = self.url.appendingPathComponent(consentId)
+        
+        do {
+            let dpopAssertion = try self.proofOfPossesion(url: consentURL, transactionToken: transactionToken, signingKey: signingKey)
+            return Request.new(
+                method: .get,
+                url: consentURL,
+                headers: [
+                    "Authorization": "MFA-DPoP \(transactionToken)",
+                    "MFA-DPoP": dpopAssertion
+                ],
+                telemetryInfo: self.telemetryInfo
+            )
+        }
+        catch let error {
+            return Request(method: .get, url: consentURL, error: error)
+        }
+    }
+    
+    private func proofOfPossesion (url: URL, transactionToken: String, signingKey: SigningKey) throws -> String {
+        guard let jwk = try signingKey.verificationKey().jwk else {
+            throw GuardianError(code: .invalidJWK)
+        }
+        
+        let header = JWT<DPoPClaimSet>.Header(algorithm: .rs256, type: "dpop+jwt", jwk: jwk)
+        let tokenHash = try self.authTokenHash(transactionToken: transactionToken);
+        
+        let claims = DPoPClaimSet(
+            httpURI: url.absoluteString,
+            httpMethod: "GET",
+            accessTokenHash: tokenHash,
+            jti: UUID().uuidString,
+            issuedAt: Date())
+
+         let jwt = try JWT<DPoPClaimSet>(claimSet: claims, header: header, key: signingKey.secKey)
+         return jwt.string
+    }
+    
+    private func authTokenHash(transactionToken: String) throws -> String {
+        guard let sha256 = A0SHA(algorithm: "sha256") else {
+            throw GuardianError(code: .failedCreationDPoPProof)
+        }
+        
+        return sha256.hash(Data(transactionToken.utf8)).base64URLEncodedString()
+    }
+}

Guardian/API/GuardianError.swift

@@ -47,6 +47,7 @@ public struct GuardianError: Swift.Error {
         case failedStoreAsymmetricKey = "a0.guardian.internal.failed.store_assymmetric_key"
         case notFoundPrivateKey = "a0.guardian.internal.no.private_key"
         case cannotSignTransactionChallenge = "a0.guardian.internal.cannot.sign_challenge"
+        case failedCreationDPoPProof = "a0.guardian.internal.failed.creation_dpop_proof"
     }
 
 }

Guardian/API/Models.swift

@@ -27,7 +27,7 @@ struct PushCredentials: Codable {
     let token: String
 }
 
-public struct RSAPublicJWK: Codable {
+public struct RSAPublicJWK: Codable, Equatable {
     let keyType = "RSA"
     let usage = "sig"
     let algorithm = "RS256"
@@ -94,6 +94,36 @@ public struct UpdatedDevice: Codable {
     }
 }
 
+public struct ConsentRequestedDetailsEntity: Decodable {
+    public let audience: String
+    public let scope: [String]
+    public let bindingMessage: String
+    
+    enum CodingKeys: String, CodingKey {
+        case audience
+        case scope
+        case bindingMessage = "binding_message"
+    }
+}
+
+public struct Consent: Decodable {
+    
+    public let consentId: String
+    
+    public let requestedDetails: ConsentRequestedDetailsEntity
+    
+    public let createdAt: String
+    
+    public let expiresAt: String
+    
+    enum CodingKeys: String, CodingKey {
+        case consentId = "id"
+        case requestedDetails = "requested_details"
+        case createdAt = "created_at"
+        case expiresAt = "expires_at"
+    }
+}
+
 public struct Auth0TelemetryInfo: Codable, Equatable {
     let appName: String
     let appVersion: String

Guardian/Crypto/JWT.swift

@@ -51,14 +51,22 @@ struct JWT<S: Codable> {
             }
         }
     }
-
+    
     struct Header: Codable {
         let algorithm: Algorithm
-        let type: String = "JWT"
+        let type: String
+        let jwk: RSAPublicJWK? // Optional field
 
         enum CodingKeys: String, CodingKey {
             case type = "typ"
             case algorithm = "alg"
+            case jwk
+        }
+        
+        init(algorithm: Algorithm, type: String = "JWT", jwk: RSAPublicJWK? = nil) {
+            self.algorithm = algorithm
+            self.type = type
+            self.jwk = jwk
         }
     }
 
@@ -80,15 +88,20 @@ struct JWT<S: Codable> {
 
     init(claimSet: S, algorithm: JWT.Algorithm = .rs256, key: SecKey) throws {
         let header = Header(algorithm: algorithm)
+        try self.init(claimSet:claimSet, header: header, key: key)
+    }
+    
+    init(claimSet: S, header:Header, key: SecKey) throws {
         let encoder = JSONEncoder()
         encoder.dateEncodingStrategy = .secondsSince1970
+        
         let headerPart = try encoder.encode(header).base64URLEncodedString()
         let claimSetPart = try encoder.encode(claimSet).base64URLEncodedString()
         let signableParts = "\(headerPart).\(claimSetPart)"
         guard let value = signableParts.data(using: .utf8) else {
             throw JWT.Error.cannotSign
         }
-        let signature = try algorithm.sign(value: value, key: key)
+        let signature = try header.algorithm.sign(value: value, key: key)
         let signaturePart = signature.base64URLEncodedString()
         self.header = header
         self.claimSet = claimSet
@@ -166,3 +179,19 @@ struct GuardianClaimSet: Codable, Equatable {
         case reason = "auth0_guardian_reason"
     }
 }
+
+struct DPoPClaimSet: Codable, Equatable {
+    let httpURI: String
+    let httpMethod: String
+    let accessTokenHash: String
+    let jti: String
+    let issuedAt: Date
+    
+    enum CodingKeys: String, CodingKey {
+        case httpURI = "htu"
+        case httpMethod = "htm"
+        case accessTokenHash = "ath"
+        case jti
+        case issuedAt = "iat"
+    }
+}