auth0 · hzalaz · Dec 31, 2016 · Dec 22, 2016 · Dec 22, 2016 · Dec 29, 2016
diff --git a/Lock.xcodeproj/project.pbxproj b/Lock.xcodeproj/project.pbxproj
@@ -136,6 +136,7 @@
 		5FEEE81A1DB6AF3800B4DFED /* RuleSpec.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5FEEE8191DB6AF3800B4DFED /* RuleSpec.swift */; };
 		5FEEE81C1DB80D6800B4DFED /* PasswordPolicy.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5FEEE81B1DB80D6800B4DFED /* PasswordPolicy.swift */; };
 		5FEEE81E1DB84BBB00B4DFED /* PasswordPolicySpec.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5FEEE81D1DB84BBB00B4DFED /* PasswordPolicySpec.swift */; };
+		5FF0B2281E1726C400A73257 /* CredentialAuth.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5FF0B2271E1726C400A73257 /* CredentialAuth.swift */; };
 		5FFC54FE1D37E3F700579581 /* Routes.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5FFC54FD1D37E3F700579581 /* Routes.swift */; };
 		B73CCF98908698EC6FE6B978 /* PasswordPolicyValidatorSpec.swift in Sources */ = {isa = PBXBuildFile; fileRef = B73CCC32F59C19B95EC03F30 /* PasswordPolicyValidatorSpec.swift */; };
 /* End PBXBuildFile section */
@@ -319,6 +320,7 @@
 		5FEEE8191DB6AF3800B4DFED /* RuleSpec.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = RuleSpec.swift; sourceTree = "<group>"; };
 		5FEEE81B1DB80D6800B4DFED /* PasswordPolicy.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; name = PasswordPolicy.swift; path = Lock/PasswordPolicy.swift; sourceTree = SOURCE_ROOT; };
 		5FEEE81D1DB84BBB00B4DFED /* PasswordPolicySpec.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = PasswordPolicySpec.swift; sourceTree = "<group>"; };
+		5FF0B2271E1726C400A73257 /* CredentialAuth.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = CredentialAuth.swift; sourceTree = "<group>"; };
 		5FFC54FD1D37E3F700579581 /* Routes.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; name = Routes.swift; path = Lock/Routes.swift; sourceTree = SOURCE_ROOT; };
 		B73CCC32F59C19B95EC03F30 /* PasswordPolicyValidatorSpec.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = PasswordPolicyValidatorSpec.swift; sourceTree = "<group>"; };
 /* End PBXFileReference section */
@@ -526,6 +528,7 @@
 				5F92C68E1D50EAC200CCE6C0 /* LazyImage.swift */,
 				5F1456591D5130E80085DF9C /* Colors.swift */,
 				5F390E861D638A6D00FC549C /* Logger.swift */,
+				5FF0B2271E1726C400A73257 /* CredentialAuth.swift */,
 			);
 			name = Utils;
 			path = Lock;
@@ -941,6 +944,7 @@
 				5BB4A7C11DF9A38E008E8C37 /* DatabaseView.swift in Sources */,
 				5F70F1E71D790773004698DA /* OptionBuildable.swift in Sources */,
 				5FBE5CB81D3D8F030038536D /* User.swift in Sources */,
+				5FF0B2281E1726C400A73257 /* CredentialAuth.swift in Sources */,
 				5F99AA861D1B0BF100D27842 /* Resources.swift in Sources */,
 				5F2496B81D665AC500A1C6E2 /* UserAttribute.swift in Sources */,
 				5F70F1DF1D7904A3004698DA /* ConnectionBuildable.swift in Sources */,

diff --git a/Lock/Auth0OAuth2Interactor.swift b/Lock/Auth0OAuth2Interactor.swift
@@ -32,10 +32,16 @@ struct Auth0OAuth2Interactor: OAuth2Authenticatable {
     func login(_ connection: String, callback: @escaping (OAuth2AuthenticatableError?) -> ()) {
         var parameters: [String: String] = [:]
         self.options.parameters.forEach { parameters[$0] = "\($1)" }
-        self.webAuth
+        var auth = self.webAuth
             .connection(connection)
             .scope(self.options.scope)
             .parameters(parameters)
+
+        if let audience = self.options.audience {
+            auth = auth.audience(audience)
+        }
+
+        auth
             .start { result in
                 switch result {
                 case .success(let credentials):

diff --git a/Lock/CredentialAuth.swift b/Lock/CredentialAuth.swift
@@ -0,0 +1,51 @@
+// CredentialAuth.swift
+//
+// Copyright (c) 2016 Auth0 (http://auth0.com)
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+import Foundation
+import Auth0
+
+struct CredentialAuth {
+
+    let oidc: Bool
+    let realm: String
+    let authentication: Authentication
+
+    func request(withIdentifier identifier: String, password: String, options: Options) -> Request<Credentials, AuthenticationError> {
+        if oidc {
+            return self.authentication.login(
+                usernameOrEmail: identifier,
+                password: password,
+                realm: realm,
+                audience: options.audience,
+                scope: options.scope
+            )
+        } else {
+            return self.authentication.login(
+                usernameOrEmail: identifier,
+                password: password,
+                connection: realm,
+                scope: options.scope,
+                parameters: options.parameters
+            )
+        }
+    }
+}
diff --git a/Lock/DatabaseInteractor.swift b/Lock/DatabaseInteractor.swift
@@ -39,15 +39,15 @@ struct DatabaseInteractor: DatabaseAuthenticatable, DatabaseUserCreator, Loggabl
     var passwordValidator: InputValidator { return self.connection.passwordValidator }
     var requiredValidator = NonEmptyValidator()
 
-    let authentication: Authentication
+    let credentialAuth: CredentialAuth
     let connection: DatabaseConnection
     let emailValidator: InputValidator = EmailValidator()
     let onAuthentication: (Credentials) -> ()
     let options: Options
     let customFields: [String: CustomTextField]
 
     init(connection: DatabaseConnection, authentication: Authentication, user: DatabaseUser, options: Options, callback: @escaping (Credentials) -> ()) {
-        self.authentication = authentication
+        self.credentialAuth = CredentialAuth(oidc: options.oidcConformant, realm: connection.name, authentication: authentication)
         self.connection = connection
         self.onAuthentication = callback
         self.user = user
@@ -97,14 +97,8 @@ struct DatabaseInteractor: DatabaseAuthenticatable, DatabaseUserCreator, Loggabl
 
         guard let password = self.password, self.validPassword else { return callback(.nonValidInput) }
 
-        self.authentication
-            .login(
-                usernameOrEmail: identifier,
-                password: password,
-                connection: self.connection.name,
-                scope: self.options.scope,
-                parameters: self.options.parameters
-            )
+        self.credentialAuth
+            .request(withIdentifier: identifier, password: password, options: self.options)
             .start { self.handle(result: $0, callback: callback) }
     }
 
@@ -121,15 +115,9 @@ struct DatabaseInteractor: DatabaseAuthenticatable, DatabaseUserCreator, Loggabl
         let username = connection.requiresUsername ? self.username : nil
         let metadata: [String: String]? = self.user.additionalAttributes.isEmpty ? nil : self.user.additionalAttributes
 
-        let authentication = self.authentication
-        let login = authentication.login(
-                usernameOrEmail: email,
-                password: password,
-                connection: databaseName,
-                scope: self.options.scope,
-                parameters: self.options.parameters
-            )
-        authentication
+        let login = self.credentialAuth.request(withIdentifier: email, password: password, options: self.options)
+        self.credentialAuth
+            .authentication
             .createUser(
                 email: email,
                 username: username,
@@ -154,7 +142,7 @@ struct DatabaseInteractor: DatabaseAuthenticatable, DatabaseUserCreator, Loggabl
                 case .failure:
                     callback(.couldNotCreateUser, nil)
                 }
-            }
+        }
     }
 
     private mutating func update(email: String?) -> Error? {

diff --git a/Lock/EnterpriseActiveAuthInteractor.swift b/Lock/EnterpriseActiveAuthInteractor.swift
@@ -39,7 +39,7 @@ struct EnterpriseActiveAuthInteractor: DatabaseAuthenticatable, Loggable {
     let emailValidator: InputValidator = EmailValidator()
     let passwordValidator: InputValidator = NonEmptyValidator()
 
-    let authentication: Authentication
+    let authentication: CredentialAuth
     let onAuthentication: (Credentials) -> ()
     let options: Options
     let user: User
@@ -48,7 +48,7 @@ struct EnterpriseActiveAuthInteractor: DatabaseAuthenticatable, Loggable {
     let identifierAttribute: UserAttribute
 
     init(connection: EnterpriseConnection, authentication: Authentication, user: User, options: Options, callback: @escaping (Credentials) -> ()) {
-        self.authentication = authentication
+        self.authentication = CredentialAuth(oidc: options.oidcConformant, realm: connection.name, authentication: authentication)
         self.connection = connection
         self.onAuthentication = callback
         self.user = user
@@ -118,13 +118,7 @@ struct EnterpriseActiveAuthInteractor: DatabaseAuthenticatable, Loggable {
         guard let password = self.password, self.validPassword else { return callback(.nonValidInput) }
 
         self.authentication
-            .login(
-                usernameOrEmail: identifier,
-                password: password,
-                connection: self.connection.name,
-                scope: self.options.scope,
-                parameters: self.options.parameters
-            )
+            .request(withIdentifier: identifier, password: password, options: self.options)
             .start { self.handleLoginResult($0, callback: callback) }
     }
 

diff --git a/Lock/LockOptions.swift b/Lock/LockOptions.swift
@@ -40,4 +40,7 @@ struct LockOptions: OptionBuildable {
     // Enterprise
     var activeDirectoryEmailAsUsername: Bool = false
     var enterpriseConnectionUsingActiveAuth: [String] = []
+
+    var oidcConformant: Bool = false
+    var audience: String? = nil
 }
diff --git a/Lock/MultifactorInteractor.swift b/Lock/MultifactorInteractor.swift
@@ -35,11 +35,14 @@ struct MultifactorInteractor: MultifactorAuthenticatable {
 
     private let validator = OneTimePasswordValidator()
 
-    init(user: DatabaseUser, authentication: Authentication, connection: DatabaseConnection, callback: @escaping (Credentials) -> ()) {
+    private let options: Options
+
+    init(user: DatabaseUser, authentication: Authentication, connection: DatabaseConnection, options: Options, callback: @escaping (Credentials) -> ()) {
         self.user = user
         self.authentication = authentication
         self.connection = connection
         self.onAuthentication = callback
+        self.options = options
     }
 
     mutating func setMultifactorCode(_ code: String?) throws {
@@ -65,9 +68,17 @@ struct MultifactorInteractor: MultifactorAuthenticatable {
         guard let password = self.user.password, self.user.validPassword else { return callback(.nonValidInput) }
         guard let code = self.code, self.validCode else { return callback(.nonValidInput) }
         let database = self.connection.name
-        self.authentication
-            .login(usernameOrEmail: identifier, password: password, multifactorCode: code, connection: database)
-            .start { result in
+
+        // FIXME: MFA support for password-realm
+        guard !self.options.oidcConformant else { return callback(.couldNotLogin) }
+        authentication.login(
+                usernameOrEmail: identifier,
+                password: password,
+                multifactorCode: code,
+                connection: database,
+                scope: self.options.scope,
+                parameters: self.options.parameters
+            ).start { result in
                 switch result {
                 case .failure(let cause as AuthenticationError) where cause.isMultifactorCodeInvalid:
                     callback(.multifactorInvalid)
@@ -77,7 +88,6 @@ struct MultifactorInteractor: MultifactorAuthenticatable {
                     callback(nil)
                     self.onAuthentication(credentials)
                 }
-            }
-
+        }
     }
 }
diff --git a/Lock/OptionBuildable.swift b/Lock/OptionBuildable.swift
@@ -72,6 +72,12 @@ public protocol OptionBuildable: Options {
 
         /// Should an enterprise connection use credentials instead of WebAuth.  By default enterprise connections use WebAuth
     var enterpriseConnectionUsingActiveAuth: [String] { get set }
+
+        /// Specifies if Lock should use OIDC conformant authentication endpoints. By default is false
+    var oidcConformant: Bool { get set }
+
+        /// Specify the intended resource server of the token. By default no audience is specified.
+    var audience: String? { get set }
 }
 
 internal extension OptionBuildable {

diff --git a/Lock/Options.swift b/Lock/Options.swift
@@ -42,4 +42,7 @@ public protocol Options {
     // Enterprise
     var activeDirectoryEmailAsUsername: Bool { get }
     var enterpriseConnectionUsingActiveAuth: [String] { get }
+
+    var oidcConformant: Bool { get }
+    var audience: String? { get }
 }
diff --git a/Lock/Router.swift b/Lock/Router.swift
@@ -146,7 +146,7 @@ class Router: Navigable {
             return nil
         }
         let authentication = self.lock.authentication
-        let interactor = MultifactorInteractor(user: self.user, authentication: authentication, connection: database, callback: self.onAuthentication)
+        let interactor = MultifactorInteractor(user: self.user, authentication: authentication, connection: database, options: self.lock.options, callback: self.onAuthentication)
         let presenter = MultifactorPresenter(interactor: interactor, connection: database)
         presenter.customLogger = self.lock.logger
         return presenter

diff --git a/LockTests/Interactors/Auth0OAuth2InteractorSpec.swift b/LockTests/Interactors/Auth0OAuth2InteractorSpec.swift
@@ -30,14 +30,18 @@ class Auth0OAuth2InteractorSpec: QuickSpec {
 
     override func spec() {
 
-        var interactor: Auth0OAuth2Interactor!
         var webAuth: MockWebAuth!
         var credentials: Credentials?
+        var options: LockOptions!
+
+        var interactor: Auth0OAuth2Interactor {
+            return Auth0OAuth2Interactor(webAuth: webAuth, onCredentials: {credentials = $0}, options: options)
+        }
 
         beforeEach {
             credentials = nil
             webAuth = MockWebAuth()
-            interactor = Auth0OAuth2Interactor(webAuth: webAuth, onCredentials: {credentials = $0}, options: LockOptions())
+            options = LockOptions()
         }
 
         describe("login") {
@@ -58,11 +62,21 @@ class Auth0OAuth2InteractorSpec: QuickSpec {
                 expect(webAuth.scope) == "openid"
             }
 
+            it("should not set audience if nil") {
+                options.audience = nil
+                interactor.login("facebook", callback: { _ in })
+                expect(webAuth.audience).to(beNil())
+            }
+
+            it("should set audience") {
+                options.audience = "https://myapi.com/v1"
+                interactor.login("facebook", callback: { _ in })
+                expect(webAuth.audience) == "https://myapi.com/v1"
+            }
+
             it("should set parameters") {
                 let state = UUID().uuidString
-                var options = LockOptions()
                 options.parameters = ["state": state as Any]
-                interactor = Auth0OAuth2Interactor(webAuth: webAuth, onCredentials: {credentials = $0}, options: options)
                 interactor.login("facebook", callback: { _ in })
                 expect(webAuth.params["state"]) == state
             }