React native bridge for AppAuth - an SDK for communicating with OAuth2 providers
This version supports react-native@0.63+
. The last pre-0.63 compatible version is v5.1.3
.
React Native bridge for AppAuth-iOS and AppAuth-Android SDKS for communicating with OAuth 2.0 and OpenID Connect providers.
This library should support any OAuth provider that implements the OAuth2 spec.
We only support the Authorization Code Flow.
These providers are OpenID compliant, which means you can use autodiscovery.
- Identity Server4 (Example configuration)
- Identity Server3 (Example configuration)
- FusionAuth (Example configuration)
- Google (Example configuration)
- Okta (Example configuration)
- Keycloak (Example configuration)
- Azure Active Directory (Example configuration)
- AWS Cognito (Example configuration)
These providers implement the OAuth2 spec, but are not OpenID providers, which means you must configure the authorization and token endpoints yourself.
- Uber (Example configuration)
- Fitbit (Example configuration)
- Dropbox (Example configuration)
- Reddit (Example configuration)
- Coinbase (Example configuration)
- GitHub (Example configuration)
- Slack (Example configuration)
- Strava (Example configuration)
- Spotify (Example configuration)
- Unsplash (Example configuration)
AppAuth is a mature OAuth client implementation that follows the best practices set out in
RFC 8252 - OAuth 2.0 for Native Apps including using
SFAuthenticationSession
and SFSafariViewController
on iOS, and
Custom Tabs on
Android. WebView
s are explicitly not supported due to the security and usability reasons
explained in Section 8.12 of RFC 8252.
AppAuth also supports the PKCE ("Pixy") extension to OAuth which was created to secure authorization codes in public clients when custom URI scheme redirects are used.
To learn more, read this short introduction to OAuth and PKCE on the Formidable blog.
See Usage for example configurations, and the included Example application for a working sample.
This is the main function to use for authentication. Invoking this function will do the whole login flow and returns the access token, refresh token and access token expiry date when successful, or it throws an error when not successful.
import { authorize } from 'react-native-app-auth';
const config = {
issuer: '<YOUR_ISSUER_URL>',
clientId: '<YOUR_CLIENT_ID>',
redirectUrl: '<YOUR_REDIRECT_URL>',
scopes: ['<YOUR_SCOPES_ARRAY>'],
};
const result = await authorize(config);
ANDROID This will prefetch the authorization service configuration. Invoking this function is optional and will speed up calls to authorize. This is only supported on Android.
import { prefetchConfiguration } from 'react-native-app-auth';
const config = {
warmAndPrefetchChrome: true,
issuer: '<YOUR_ISSUER_URL>',
clientId: '<YOUR_CLIENT_ID>',
redirectUrl: '<YOUR_REDIRECT_URL>',
scopes: ['<YOUR_SCOPES_ARRAY>'],
};
prefetchConfiguration(config);
This is your configuration object for the client. The config is passed into each of the methods with optional overrides.
- issuer - (
string
) base URI of the authentication server. If noserviceConfiguration
(below) is provided, issuer is a mandatory field, so that the configuration can be fetched from the issuer's OIDC discovery endpoint. - serviceConfiguration - (
object
) you may manually configure token exchange endpoints in cases where the issuer does not support the OIDC discovery protocol, or simply to avoid an additional round trip to fetch the configuration. If noissuer
(above) is provided, the service configuration is mandatory.- authorizationEndpoint - (
string
) REQUIRED fully formed url to the OAuth authorization endpoint - tokenEndpoint - (
string
) REQUIRED fully formed url to the OAuth token exchange endpoint - revocationEndpoint - (
string
) fully formed url to the OAuth token revocation endpoint. If you want to be able to revoke a token and noissuer
is specified, this field is mandatory. - registrationEndpoint - (
string
) fully formed url to your OAuth/OpenID Connect registration endpoint. Only necessary for servers that require client registration. - endSessionEndpoint - (
string
) fully formed url to your OpenID Connect end session endpoint. If you want to be able to end a user's session and noissuer
is specified, this field is mandatory.
- authorizationEndpoint - (
- clientId - (
string
) REQUIRED your client id on the auth server - clientSecret - (
string
) client secret to pass to token exchange requests.⚠️ Read more about client secrets - redirectUrl - (
string
) REQUIRED the url that links back to your app with the auth code - scopes - (
array<string>
) the scopes for your token, e.g.['email', 'offline_access']
. - additionalParameters - (
object
) additional parameters that will be passed in the authorization request. Must be string values! E.g. settingadditionalParameters: { hello: 'world', foo: 'bar' }
would addhello=world&foo=bar
to the authorization request. - clientAuthMethod - (
string
) ANDROID Client Authentication Method. Can be eitherbasic
(default) for Basic Authentication orpost
for HTTP POST body Authentication - dangerouslyAllowInsecureHttpRequests - (
boolean
) ANDROID whether to allow requests over plain HTTP or with self-signed SSL certificates.⚠️ Can be useful for testing against local server, should not be used in production. This setting has no effect on iOS; to enable insecure HTTP requests, add a NSExceptionAllowsInsecureHTTPLoads exception to your App Transport Security settings. - customHeaders - (
object
) ANDROID you can specify custom headers to pass during authorize request and/or token request.- authorize - (
{ [key: string]: value }
) headers to be passed during authorization request. - token - (
{ [key: string]: value }
) headers to be passed during token retrieval request. - register - (
{ [key: string]: value }
) headers to be passed during registration request.
- authorize - (
- additionalHeaders - (
{ [key: string]: value }
) IOS you can specify additional headers to be passed for all authorize, refresh, and register requests. - useNonce - (
boolean
) (default: true) optionally allows not sending the nonce parameter, to support non-compliant providers - usePKCE - (
boolean
) (default: true) optionally allows not sending the code_challenge parameter and skipping PKCE code verification, to support non-compliant providers. - skipCodeExchange - (
boolean
) (default: false) just return the authorization response, instead of automatically exchanging the authorization code. This is useful if this exchange needs to be done manually (not client-side) - iosCustomBrowser - (
string
) (default: undefined) IOS override the used browser for authorization, used to open an external browser. If no value is provided, theSFAuthenticationSession
orSFSafariViewController
are used. - iosPrefersEphemeralSession - (
boolean
) (default:false
) IOS indicates whether the session should ask the browser for a private authentication session. - androidAllowCustomBrowsers - (
string[]
) (default: undefined) ANDROID override the used browser for authorization. If no value is provided, all browsers are allowed. - connectionTimeoutSeconds - (
number
) configure the request timeout interval in seconds. This must be a positive number. The default values are 60 seconds on iOS and 15 seconds on Android.
This is the result from the auth server:
- accessToken - (
string
) the access token - accessTokenExpirationDate - (
string
) the token expiration date - authorizeAdditionalParameters - (
Object
) additional url parameters from the authorizationEndpoint response. - tokenAdditionalParameters - (
Object
) additional url parameters from the tokenEndpoint response. - idToken - (
string
) the id token - refreshToken - (
string
) the refresh token - tokenType - (
string
) the token type, e.g. Bearer - scopes - ([
string
]) the scopes the user has agreed to be granted - authorizationCode - (
string
) the authorization code (only ifskipCodeExchange=true
) - codeVerifier - (
string
) the codeVerifier value used for the PKCE exchange (only if bothskipCodeExchange=true
andusePKCE=true
)
This method will refresh the accessToken using the refreshToken. Some auth providers will also give you a new refreshToken
import { refresh } from 'react-native-app-auth';
const config = {
issuer: '<YOUR_ISSUER_URL>',
clientId: '<YOUR_CLIENT_ID>',
redirectUrl: '<YOUR_REDIRECT_URL>',
scopes: ['<YOUR_SCOPES_ARRAY>'],
};
const result = await refresh(config, {
refreshToken: `<REFRESH_TOKEN>`,
});
This method will revoke a token. The tokenToRevoke can be either an accessToken or a refreshToken
import { revoke } from 'react-native-app-auth';
const config = {
issuer: '<YOUR_ISSUER_URL>',
clientId: '<YOUR_CLIENT_ID>',
redirectUrl: '<YOUR_REDIRECT_URL>',
scopes: ['<YOUR_SCOPES_ARRAY>'],
};
const result = await revoke(config, {
tokenToRevoke: `<TOKEN_TO_REVOKE>`,
includeBasicAuth: true,
sendClientId: true,
});
This method will logout a user, as per the OpenID Connect RP Initiated Logout specification. It requires an idToken
, obtained after successfully authenticating with OpenID Connect, and a URL to redirect back after the logout has been performed.
import { logout } from 'react-native-app-auth';
const config = {
issuer: '<YOUR_ISSUER_URL>',
};
const result = await logout(config, {
idToken: '<ID_TOKEN>',
postLogoutRedirectUrl: '<POST_LOGOUT_URL>',
});
This will perform dynamic client registration on the given provider.
If the provider supports dynamic client registration, it will generate a clientId
for you to use in subsequent calls to this library.
import { register } from 'react-native-app-auth';
const registerConfig = {
issuer: '<YOUR_ISSUER_URL>',
redirectUrls: ['<YOUR_REDIRECT_URL>', '<YOUR_OTHER_REDIRECT_URL>'],
};
const registerResult = await register(registerConfig);
- issuer - (
string
) same as in authorization config - serviceConfiguration - (
object
) same as in authorization config - redirectUrls - (
array<string>
) REQUIRED specifies all of the redirect urls that your client will use for authentication - responseTypes - (
array<string>
) an array that specifies which OAuth 2.0 response types your client will use. The default value is['code']
- grantTypes - (
array<string>
) an array that specifies which OAuth 2.0 grant types your client will use. The default value is['authorization_code']
- subjectType - (
string
) requests a specific subject type for your client - tokenEndpointAuthMethod (
string
) specifies whichclientAuthMethod
your client will use for authentication. The default value is'client_secret_basic'
- additionalParameters - (
object
) additional parameters that will be passed in the registration request. Must be string values! E.g. settingadditionalParameters: { hello: 'world', foo: 'bar' }
would addhello=world&foo=bar
to the authorization request. - dangerouslyAllowInsecureHttpRequests - (
boolean
) ANDROID same as in authorization config - customHeaders - (
object
) ANDROID same as in authorization config - connectionTimeoutSeconds - (
number
) configure the request timeout interval in seconds. This must be a positive number. The default values are 60 seconds on iOS and 15 seconds on Android.
This is the result from the auth server
- clientId - (
string
) the assigned client id - clientIdIssuedAt - (
string
) OPTIONAL date string of when the client id was issued - clientSecret - (
string
) OPTIONAL the assigned client secret - clientSecretExpiresAt - (
string
) date string of when the client secret expires, which will be provided ifclientSecret
is provided. Ifnew Date(clientSecretExpiresAt).getTime() === 0
, then the secret never expires - registrationClientUri - (
string
) OPTIONAL uri that can be used to perform subsequent operations on the registration - registrationAccessToken - (
string
) token that can be used at the endpoint given byregistrationClientUri
to perform subsequent operations on the registration. Will be provided ifregistrationClientUri
is provided
npm install react-native-app-auth --save
To setup the iOS project, you need to perform three steps:
This library depends on the native AppAuth-ios project. To keep the React Native library agnostic of your dependency management method, the native libraries are not distributed as part of the bridge.
AppAuth supports three options for dependency management.
-
CocoaPods
cd ios pod install
-
Carthage
With Carthage, add the following line to your
Cartfile
:github "openid/AppAuth-iOS" "master"
Then run
carthage update --platform iOS
.Drag and drop
AppAuth.framework
fromios/Carthage/Build/iOS
underFrameworks
inXcode
.Add a copy files build step for
AppAuth.framework
: open Build Phases on Xcode, add a new "Copy Files" phase, choose "Frameworks" as destination, addAppAuth.framework
and ensure "Code Sign on Copy" is checked. -
Static Library
You can also use AppAuth-iOS as a static library. This requires linking the library and your project and including the headers. Suggested configuration:
- Create an XCode Workspace.
- Add
AppAuth.xcodeproj
to your Workspace. - Include libAppAuth as a linked library for your target (in the "General -> Linked Framework and Libraries" section of your target).
- Add
AppAuth-iOS/Source
to your search paths of your target ("Build Settings -> "Header Search Paths").
If you intend to support iOS 10 and older, you need to define the supported redirect URL schemes in
your Info.plist
as follows:
<key>CFBundleURLTypes</key>
<array>
<dict>
<key>CFBundleURLName</key>
<string>com.your.app.identifier</string>
<key>CFBundleURLSchemes</key>
<array>
<string>io.identityserver.demo</string>
</array>
</dict>
</array>
CFBundleURLName
is any globally unique string. A common practice is to use your app identifier.CFBundleURLSchemes
is an array of URL schemes your app needs to handle. The scheme is the beginning of your OAuth Redirect URL, up to the scheme separator (:
) character. E.g. if your redirect uri iscom.myapp://oauth
, then the url scheme will iscom.myapp
.
You need to retain the auth session, in order to continue the authorization flow from the redirect. Follow these steps:
RNAppAuth
will call on the given app's delegate via [UIApplication sharedApplication].delegate
.
Furthermore, RNAppAuth
expects the delegate instance to conform to the protocol RNAppAuthAuthorizationFlowManager
.
Make AppDelegate
conform to RNAppAuthAuthorizationFlowManager
with the following changes to AppDelegate.h
:
+ #import "RNAppAuthAuthorizationFlowManager.h"
- @interface AppDelegate : UIResponder <UIApplicationDelegate, RCTBridgeDelegate>
+ @interface AppDelegate : UIResponder <UIApplicationDelegate, RCTBridgeDelegate, RNAppAuthAuthorizationFlowManager>
+ @property(nonatomic, weak)id<RNAppAuthAuthorizationFlowManagerDelegate>authorizationFlowManagerDelegate;
Add the following code to AppDelegate.m
(to support iOS <= 10, React Navigation deep linking and overriding browser behavior in the authorization process)
+ - (BOOL)application:(UIApplication *)app openURL:(NSURL *)url options:(NSDictionary<NSString *, id> *) options {
+ if ([self.authorizationFlowManagerDelegate resumeExternalUserAgentFlowWithURL:url]) {
+ return YES;
+ }
+ return [RCTLinkingManager application:app openURL:url options:options];
+ }
If you want to support universal links, add the following to AppDelegate.m
under continueUserActivity
+ if ([userActivity.activityType isEqualToString:NSUserActivityTypeBrowsingWeb]) {
+ if (self.authorizationFlowManagerDelegate) {
+ BOOL resumableAuth = [self.authorizationFlowManagerDelegate resumeExternalUserAgentFlowWithURL:userActivity.webpageURL];
+ if (resumableAuth) {
+ return YES;
+ }
+ }
+ }
The approach mentioned should work with Swift. In this case one should make AppDelegate
conform to RNAppAuthAuthorizationFlowManager
. Note that this is not tested/guaranteed by the maintainers.
Steps:
swift-Bridging-Header.h
should include a reference to#import "RNAppAuthAuthorizationFlowManager.h
, like so:
#import <React/RCTBundleURLProvider.h>
#import <React/RCTRootView.h>
#import <React/RCTBridgeDelegate.h>
#import <React/RCTBridge.h>
#import "RNAppAuthAuthorizationFlowManager.h" // <-- Add this header
#if DEBUG
#import <FlipperKit/FlipperClient.h>
// etc...
AppDelegate.swift
should implement theRNAppAuthorizationFlowManager
protocol and have a handler for url deep linking. The result should look something like this:
@UIApplicationMain
class AppDelegate: UIApplicationDelegate, RNAppAuthAuthorizationFlowManager { //<-- note the additional RNAppAuthAuthorizationFlowManager protocol
public weak var authorizationFlowManagerDelegate: RNAppAuthAuthorizationFlowManagerDelegate? // <-- this property is required by the protocol
//"open url" delegate function for managing deep linking needs to call the resumeExternalUserAgentFlowWithURL method
func application(
_ app: UIApplication,
open url: URL,
options: [UIApplicationOpenURLOptionsKey: Any] = [:]) -> Bool {
return authorizationFlowManagerDelegate?.resumeExternalUserAgentFlowWithURL(with: url) ?? false
}
}
Note: for RN >= 0.57, you will get a warning about compile being obsolete. To get rid of this warning, use patch-package to replace compile with implementation as in this PR - we're not deploying this right now, because it would break the build for RN < 57.
To setup the Android project, you need to add redirect scheme manifest placeholder:
To capture the authorization redirect,
add the following property to the defaultConfig in android/app/build.gradle
:
android {
defaultConfig {
manifestPlaceholders = [
appAuthRedirectScheme: 'io.identityserver.demo'
]
}
}
The scheme is the beginning of your OAuth Redirect URL, up to the scheme separator (:
) character. E.g. if your redirect uri
is com.myapp://oauth
, then the url scheme will is com.myapp
. The scheme must be in lowercase.
NOTE: When integrating with React Navigation deep linking, be sure to make this scheme (and the scheme in the config's redirectUrl) unique from the scheme defined in the deep linking intent-filter. E.g. if the scheme in your intent-filter is set to com.myapp
, then update the above scheme/redirectUrl to be com.myapp.auth
as seen here.
import { authorize } from 'react-native-app-auth';
// base config
const config = {
issuer: '<YOUR_ISSUER_URL>',
clientId: '<YOUR_CLIENT_ID>',
redirectUrl: '<YOUR_REDIRECT_URL>',
scopes: ['<YOUR_SCOPE_ARRAY>'],
};
// use the client to make the auth request and receive the authState
try {
const result = await authorize(config);
// result includes accessToken, accessTokenExpirationDate and refreshToken
} catch (error) {
console.log(error);
}
Values are in the code
field of the rejected Error object.
- OAuth Authorization error codes
- OAuth Access Token error codes
- OpendID Connect Registration error codes
service_configuration_fetch_error
- could not fetch the service configurationauthentication_failed
- user authentication failedtoken_refresh_failed
- could not exchange the refresh token for a new JWTregistration_failed
- could not registerbrowser_not_found
(Android only) - no suitable browser installed
Some authentication providers, including examples cited below, require you to provide a client secret. The authors of the AppAuth library
strongly recommend you avoid using static client secrets in your native applications whenever possible. Client secrets derived via a dynamic client registration are safe to use, but static client secrets can be easily extracted from your apps and allow others to impersonate your app and steal user data. If client secrets must be used by the OAuth2 provider you are integrating with, we strongly recommend performing the code exchange step on your backend, where the client secret can be kept hidden.
Having said this, in some cases using client secrets is unavoidable. In these cases, a clientSecret
parameter can be provided to authorize
/refresh
calls when performing a token request.
Recommendations on secure token storage can be found here.
Active: Formidable is actively working on this project, and we expect to continue for work for the foreseeable future. Bug reports, feature requests and pull requests are welcome.