openid / appauth-ios Goto Github PK

If a user logs in properly the first time, then everything works fine. However, if a user hits "Done" rather than signing in properly, then the next time they go to sign in, we just spin after calling

appDelegate.currentAuthorizationFlow = [OIDAuthState authStateByPresentingAuthorizationRequest:request presentingViewController:self callback:^(OIDAuthState *_Nullable authState, NSError *_Nullable error)

If you force the OS to trap during this process, (either by setting a breakpoint or logging) then everything works properly. I have structured my code almost identical to the AppAuthExample project linked in this repository, the only difference is that mine is not calling this from my main window.

Support validating JWTs and extracting their claims as a map. This will require the ability to either dynamically use the jwks_uri keys provided by the provider's discovery document, or a set of acceptable keys provided by the developer.

README file mentions iOS7 and macOS 10.8 as supported versions.
My configuration is OSX 10.9 with XCode 6.2 (iOS 8.2 SDK installed).

Since XCode 6.x (and below) doesn't support new Objective C features, such as "nullable",
"__nullable", "NS_ASSUME_NONNULL_BEGIN/END" and NSArray/NSDictionary generics
the project cannot be compiled with this version. Hence the minimum macOS requirement
should really be 10.10 (which is XCode 7's requirement).

The minimum requirement for iOS should really be iOS 9.x since you cannot
successfully compile the project without iOS 9 SDK installed because of the "SFSafariViewController / SFSafariViewControllerDelegate" dependency.

Cheers, Dmitry.

The macOS library works great from the Pod, but no targets are setup in the XCode project.

OpenID Connect Core 1.0, Section 3.1.2.1, ui_locales parameter:

OPTIONAL. End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.

Hi,

as proposed for Carthage in #25 it'd be great to have support for the Swift Package Manager. Is that something you'd consider adding soon? Otherwise I'm happy to make the changes and submit a PR (already signed the agreement!).

Cheers!

Hello,

There doesn't seem to be a way to supply additional parameter when refreshing tokens using the recommended [OIDAuthState withFreshTokensPerformAction:] method.

Currently the manual way to achieve this is to obtain a request with [OIDAuthState tokenRefreshRequestWithAdditionalParameters:], perform the request with [OIDAuthorizationService performTokenRequest:callback:], and then update the auth state with [OIDAuthState updateWithTokenResponse:].

Doing this seems to go against the documentation to use [OIDAuthState withFreshTokensPerformAction:] to refresh tokens. I just wasn't sure if there was a reason to not include a method capable of performing this action in the more preferred way.

I've taken a stab at the functionality inside this PR: #49

OpenID Connect Core 1.0, Section 3.1.2.1, login_hint parameter:

OPTIONAL. Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone number in the format specified for the phone_number Claim. The use of this parameter is left to the OP's discretion.

Hey!

We're working on OSX support over at https://github.com/equinux/AppAuth-iOS.
Is there any chance we could get our changes merged into this repo (and change the name to AppAuth only)?
Alternatively, we could extract the platform-independent parts into a separate pod AppAuth-Core and create a new pod AppAuth-Mac that depends on it.

What do you think?

/cc @DarkDust

If user clicked on deny expected code is OIDErrorCodeOAuthAccessDenied, but really have this OIDErrorCodeOAuthAuthorizationClientError, as this condition always true for this case, and it changes source error:

  if (!OIDIsEqualIncludingNil(_request.state, response.state)) {
    NSMutableDictionary *userInfo = [query.dictionaryValue mutableCopy];
    userInfo[NSLocalizedFailureReasonErrorKey] =
        [NSString stringWithFormat:@"State mismatch, expecting %@ but got %@ in authorization "
                                    "response %@",
                                   _request.state,
                                   response.state,
                                   response];
    response = nil;
    error = [NSError errorWithDomain:OIDOAuthAuthorizationErrorDomain
                                code:OIDErrorCodeOAuthAuthorizationClientError
                            userInfo:userInfo];
  }

Documentation is at https://dirg.org.umu.se/static/oictest/how_to_use_rp_test.html
The code is at https://github.com/rohe/oidctest/

Notes:

• Can only test RPs that can use OP configuration discovery information
• Path specifies behavior of test OP
• Uses IP address of RP as correlation handle for requests
• Logs at /log//

OpenID Connect Core 1.0, Section 5.2, claims_locales parameter:

OPTIONAL. End-User's preferred languages and scripts for Claims being returned, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.

OpenID Connect Core 1.0, Section 7.2.1, registration parameter:

OPTIONAL. This parameter is used by the Client to provide information about itself to a Self-Issued OP that would normally be provided to an OP during Dynamic Client Registration. The value is a JSON object containing Client metadata values, as defined in Section 2.1 of the OpenID Connect Dynamic Client Registration 1.0 specification. The registration parameter SHOULD NOT be used when the OP is not a Self-Issued OP.

I have integrated App Auth library to my app and I see that SSO is not working with iOS 10. I tried with the example app and SFSafariViewController asks for credentials every time I click on the Re-authorize button. I am not seeing this in iOS 9 though.

Has anyone experienced the same issue?

OpenID Connect Core 1.0, Section 5.5, claims parameter:

OPTIONAL. This parameter is used to request that specific Claims be returned. The value is a JSON object listing the requested Claims.

An example Claims request is as follows:

{
  "userinfo":
  {
      "given_name": {"essential": true},
      "nickname": null,
      "email": {"essential": true},
      "email_verified": {"essential": true},
      "picture": null,
      "http://example.info/claims/groups": null
  },
  "id_token":
  {
      "auth_time": {"essential": true},
      "acr": {"values": ["urn:mace:incommon:iap:silver"] }
  }
}

Are there any plans for a version of AppAuth-iOS in Swift? I understand that a lot of organizations are still waiting to support Swift. If there aren't any plans by openid to support Swift, I'd like to start a discussion to find out what the reasons behind that decision may be? I'd also like to find volunteers (of which I'd be one) who might be willing to commit some time to creating either a Swift branch or new Swift repo. I think it would make sense to start with a swift3 branch and if it progresses enough, we could break it out into its own repo. Of course, this would duplicate efforts to introduce new enhancements, but I strongly believe that having a purely-Swift version of AppAuth-iOS would greatly increase community interest. A lot of Objective-C projects are being ignored categorically these days.

Thoughts?

OpenID Connect Core 1.0, Section 3.1.2.1, id_token_hint parameter:

OPTIONAL. ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response; otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need not be listed as an audience of the ID Token when it is used as an id_token_hint value.

If the ID Token received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the id_token_hint value.

Create a sample project using AppAuth in the swift language, and test compatibility.

There are couple of warnings when bridging the library with Swift 3 (Xcode 8)

AppAuth-iOS/Source/OIDAuthState.h:144:1: warning: conflicting nullability specifier on return types, 'nullable' conflicts with existing specifier 'nonnull'
- (nullable instancetype)init NS_UNAVAILABLE;
^
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator10.1.sdk/usr/include/objc/NSObject.h:60:1: note: previous declaration is here
- (instancetype)init
^

AppAuth-iOS/Source/OIDAuthorizationResponse.h:106:1: warning: conflicting nullability specifier on return types, 'nullable' conflicts with existing specifier 'nonnull'
- (nullable instancetype)init NS_UNAVAILABLE;
^
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator10.1.sdk/usr/include/objc/NSObject.h:60:1: note: previous declaration is here
- (instancetype)init
^

AppAuth-iOS/Source/OIDAuthorizationService.h:84:1: warning: conflicting nullability specifier on return types, 'nullable' conflicts with existing specifier 'nonnull'
- (nullable instancetype)init NS_UNAVAILABLE;
^
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator10.1.sdk/usr/include/objc/NSObject.h:60:1: note: previous declaration is here
- (instancetype)init
^

AppAuth-iOS/Source/OIDServiceDiscovery.h:358:1: warning: conflicting nullability specifier on return types, 'nullable' conflicts with existing specifier 'nonnull'
- (nullable instancetype)init NS_UNAVAILABLE;
^
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator10.1.sdk/usr/include/objc/NSObject.h:60:1: note: previous declaration is here
- (instancetype)init
^

AppAuth-iOS/Source/OIDTokenRequest.h:114:1: warning: conflicting nullability specifier on return types, 'nullable' conflicts with existing specifier 'nonnull'
- (nullable instancetype)init NS_UNAVAILABLE;
^
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator10.1.sdk/usr/include/objc/NSObject.h:60:1: note: previous declaration is here
- (instancetype)init
^

AppAuth-iOS/Source/OIDTokenResponse.h:97:1: warning: conflicting nullability specifier on return types, 'nullable' conflicts with existing specifier 'nonnull'
- (nullable instancetype)init NS_UNAVAILABLE;
^
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator10.1.sdk/usr/include/objc/NSObject.h:60:1: note: previous declaration is here
- (instancetype)init
^

Some other initializers also have questionable nullability specifiers, e.g.
OIDTokenRequest:

- (nullable instancetype)initWithConfiguration:(OIDServiceConfiguration *)configuration …

This initializer should be marked as nullable only when there are some circumstances where the initializer can return nil, which is not the case here. This initializer always returns value from NSObject’s init, which never returns nil:
https://developer.apple.com/reference/objectivec/nsobject/1418641-init

With the current annotations, many initializers are marked as “failable” in Swift, e.g.:
let tokenRequest = OIDTokenRequest(…)
initializes token request as optional and requires unnecessary unwrapping

OpenID Connect Core 1.0, Section 3.1.2.1, "nonce" parameter:

OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values. For implementation notes, see Section 15.5.2.

Section 3.2.2.1, "Authentication Request" specifies that this parameter is REQUIRED for implicit flow authentication requests (those with response type id_token or id_token token).

Please publish new version including

• Removed `nullable` from initializers where it wasn't needed. 2f3dc96

Is there any reason that the AppStore build would not behave the same as another Release build that is used for AdHoc? I'm getting this error from my authentication site's login page after submitting the credentials or continuing if the cookies are there. The difference between the two is only CodeSigning, and also being distributed via TestFlight in #Appstore.

"The operation couldn't be completed. (org.openid.appauth.general error -5.)"

Any help is greatly appreciated!

Hi,

I've been following the links below as a basis for using AppAuth to authenticate against IdentityServer:

https://github.com/kamaldheeraj/AppAuthSampleSwift
https://github.com/jchnxu/TestOIDAppAuth-iOS

One slight difference:

• I'm using hybrid flow so my response type is "code id_token token"

When I launch the app I get my login screen and authentication looks like it is working as expected in the server logs.

When I break in the section below the url value appears to include all of the relevant info:

func application(
    _ app: UIApplication, 
    open url: URL, 
    options: [UIApplicationOpenURLOptionsKey: Any] = [:]) -> Bool {

        if currentAuthorizationFlow!.resumeAuthorizationFlow(with: url){
            currentAuthorizationFlow = nil
            return true
        }

    return false;
}

But when I get to the section below, authState is nil and I get the error - Auth error: State mismatch, expecting [STATE] but got (null) in authorization response (null)

appDelegate.currentAuthorizationFlow = 
OIDAuthState.authState(
            byPresenting: request,
            presenting: self,
            callback: {
            (authState, error) in

            if authState != nil{
                self.assignAuthState(authState: authState)
                self.logMessage("Got authorization tokens. Access token: \
(authState!.lastTokenResponse!.accessToken!)")
            }
            else{
                self.logMessage("Auth error: \(error!.localizedDescription)")
                self.assignAuthState(nil)
            }
        })

I'm new to xcode / swift so probably missing something obvious. Any suggestions?

OpenID Connect Core 1.0, Section 3.1.2.1, max_age parameter:

OPTIONAL. Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE max_auth_age request parameter). When max_age is used, the ID Token returned MUST include an auth_time Claim Value.

I'm a novice ios developer. I would like to remove offline permission screen during authentication from Google. It's a simple application, and I don't need to do anything offline. My users feel weird about this screen.

The scope I'm using [OIDScopeOpenID, OIDScopeEmail, OIDScopeProfile]. I'm using discovery api with additionalParameters: ["access_type": "online", "prompt": "select_account"]).

On ruby side, I'm using https://github.com/zquestz/omniauth-google-oauth2/, and it works out of the box with the same scope and same parameters.

Please help me ....

OpenID Connect Core 1.0, Section 3.1.2.1, "display" parameter:

OPTIONAL. ASCII string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User. The defined values are:

page
The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode.

popup
The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over.

touch
The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface.

wap
The Authorization Server SHOULD display the authentication and consent UI consistent with a "feature phone" type display.

Loopback-IP is a valid choice for redirects on macOS, would be good to add support for this in the library.

Google docs: https://developers.google.com/identity/protocols/OAuth2InstalledApp#redirect-uri_loopback
IETF Draft BCP: https://tools.ietf.org/html/draft-ietf-oauth-native-apps-03#section-7.3

I noticed from the answers in this question on the android library(openid/AppAuth-Android#71) that the use of urn:ietf:wg:oauth:2.0:oob is a hack. Does this library support the browser title bar method at all? I'm trying to use the MSGraph API and unfortunately, their app registration forces you to use that for the redirect uri and doesn't allow you to change it to a reverse dns format. Is there a possibility to retrieve the auth code via the browser title bar method with this library?

OpenID Connect Core 1.0, Section 3.1.2.1,
"prompt" parameter:

OPTIONAL. Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are:

none
The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent.

login
The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, it MUST return an error, typically login_required.

consent
The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client. If it cannot obtain consent, it MUST return an error, typically consent_required.

select_account
The Authorization Server SHOULD prompt the End-User to select a user account. This enables an End-User who has multiple accounts at the Authorization Server to select amongst the multiple accounts that they might have current sessions for. If it cannot obtain an account selection choice made by the End-User, it MUST return an error, typically account_selection_required.

There are a few methods where callback blocks are dispatched on the main queue:

+ [OIDAuthorizationService discoverServiceConfigurationForDiscoveryURL:completion:]
+ [OIDAuthorizationService performTokenRequest:callback:]
- [OIDAuthState withFreshTokensPerformAction:]

This strategy makes sense if the callback block is expected to directly perform UI updates, but this will not always be the case. In cases where the callback blocks instead perform significant computation, this behavior is generally undesirable and forces calling code to perform additional dispatching.

I think it would be ideal if a mechanism could be provided to specify the queue for callback dispatch. For possible approaches, take a look at the mechanisms provided by NSURLSession and Alamofire.

Hello there,

I am able to sign in with google account using AppAuth.
But when i try to fetch list of files that i have in Google drive A/C.

I am using 'GoogleAPIClient/Drive' for Google Drive.

As i see the google drive documentation is not perfect.
Can you suggest something about how can i go with it.?

Hi everyone,

we need to customize the modal presentation of the SFSafariViewController. Specifically setting the modalPresentationStyle and modalTransitionStyle. I've created a PR (#28) with a sample of how this could be achieved.

We'd greatly appreciate if you could add this kind of support.

Thanks 🙏,
Max

Thank you for developing this library! I have a question/problem that is not directly related to the library but probably to Google's servers. But maybe you have nevertheless a solution:

I am using AppAuth-iOS to sign in to Google. It seems to work fine in most cases but some users have the problem that Safari stops when loading the page. It does not only affect the SFSafariViewController but also the stand-alone Safari. The blue bar that shows the loading process just stops/freezes at a certain point and the page is not loaded. However it works fine for most users. And it works fine when opening the same URL on the same device with Google Chrome instead of Safari.

Have you heard about this problem? Is there a solution?

Thank you very much!

Kind regards

Dominique

OpenID Connect Core 1.0, Section 3.1.2.1, acr_values parameter:

OPTIONAL. Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary Claim by this parameter.

We should truncate the auth tokens in the description methods.

This can help avoid inadvertent logging of sensitive tokens. Developers still have access to the raw tokens through the properties provided for that purpose should they need.

It reports:
Terminating app due to uncaught exception 'Attempted to create a token refresh request from a token response with no refresh token.', reason: 'Attempted to create a token refresh request from a token response with no refresh token.'

OpenID Connect Core 1.0, Section 6.0, request_uri parameter:

OPTIONAL. This parameter enables OpenID Connect requests to be passed by reference, rather than by value. The request_uri value is a URL using the https scheme referencing a resource containing a Request Object value, which is a JWT containing the request parameters.

Hi!,

Are there any plans on supporting Carthage dependency manager?. I work on this and make a PR if it's something you'd like, should not be a big change since in theory it will only require adding a dynamic framework target.

Hi!

Sometimes Safari cannot load data from "accounts.google.com", the loading bar stops and loading of the page never finishes (I have got several reports about this problem from users). This also happens when using the Safari app instead of SFSafariViewController. However on the same devices it works fine when using Google Chrome. Thus I would like to use Google Chrome if it is installed. Is there a way to tell the library to use Google Chrome instead of Safari to open the URL?

Thank you very much!

Kind regards

Dominique

We are using AppAuth-iOS in our application to handle authentication. It is working fine, although we have an issue with dismiss of in-app browser Safari.

On scenario when user is prompted to save his password by Safari, the user hasn't got the time to respond.
We have created a custom class which overrides OIDAuthorizationUICoordinatorIOS's dismissAuthorizationAnimated method, although we couldn't say when 'save password alert' has been prompted or not.

Any thoughts how can we get any information when 'save password alert' has been prompted?

Thanks.

I'm building a Swift app and have AppAuth.h imported in my bridging header. When I tried creating a custom AuthorizationUICoordinator I was getting "use of undeclared type" compilation errors. After a bit of digging I realized that OIDAuthorizationUICoordinator.h wasn't transitively imported via AppAuth.h, and adding it directly to my bridging header solved the issue.

Since this use case (using a custom AuthorizationUICoordinator) is part of the public API, it seems that OIDAuthorizationUICoordinator.h should be included in AppAuth.h.

It is not possible with the current implementation to allow the client secret authentication. Below is the spec for it:
https://tools.ietf.org/html/rfc6749#section-2.3.1

It appears this pull request is regarding the same issue.
#24

It would be nice if this would built in like it is in the Android SDK.

Thanks for taking time reviewing this request.

I keep getting the Cannot build module AppAuth after installing the Cocoapod and trying to run the project. I have tried several fixes found on stack overflow with nothing working.

Are there any existing plans to include some form of iOS Keychain wrapper with this library? It seems the only secure option (as opposed to NSUserDefaults), and fairly common procedure for persisting tokens.

Hi Everyone,

The user case is user want to login with other account, and I have to logout the current user, How can I do it with the lib ?

Thanks.

OpenID Connect Core 1.0, Section 6.0, request parameter:

OPTIONAL. This parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be optionally signed and/or encrypted. The parameter value is a Request Object value, as specified in Section 6.1. It represents the request as a JWT whose Claims are the request parameters.

It will likely be preferable to support this as a flag on the authorization request object rather than a parameter in the conventional way.

Hi everyone!

I am trying to use this great library with project that has enabled app extension and there is a problem with building project because in project we have this line:
https://github.com/openid/AppAuth-iOS/blob/master/Source/iOS/OIDAuthorizationUICoordinatorIOS.m#L90
I beleave because [UIApplication sharedApplication] is not save to use with share extension.
Are we able to fix that? I know that same problem had in past Afnetworking library and They resolved it doing some magic with pod config...

Cheers,
GregB

One of my developers sent me the following e-mail. Is anyone else experiencing this?

"After some empirical testing into the cookie sharing behavior between iOS 9 and iOS 10, I have discovered that (unlike in iOS 9) in iOS 10, SFSafariViewController session cookies are not shared with either Safari or with other SFSafariViewController instances. The current SSO cookie must be a session cookie, which is the reason that SSO does not work on iOS 10 devices. The fact that other apps have not yet reported this issue appears to be due to their not having been as comprehensive with their testing to date, rather than that it's not an issue for them.

The good news is that the fix is easy: the SSO cookie must be converted to a persistent cookie through the addition of the expires parameter. Please let us know when this change can be made available."

Algorithm of encoding characters in the AppAuth-iOS library is not compatible with the "application/x-www-form-urlencoded" type. It leads to different issues in the OAuth2 flow where tokens, authorization codes passed to the server contain special characters.

Detailed description:

The "application/x-www-form-urlencoded" type is based on special URI percent-encoding rules:
Wikipedia

The biggest difference from standard URI encoding is with replacing spaces with the plus sign character "+". Unfortunately standard iOS APIs like:
[NSCharacterSet URLQueryAllowedCharacterSet]
or
NSURLComponents
don't obey these rules. They don't encode the plus sign "+" which is replaced with space afterwards on the server.

Moreover, current implementation of NSURLComponents (iOS 8+) in the library is wrong. Instead of using [NSURLComponents percentEncodedQuery] it uses [NSURLComponents query] instead, which doesn't encode data at all
https://github.com/openid/AppAuth-iOS/blob/master/Source/OIDURLQueryComponent.m#L166

I've created a branch where both methods (iOS8+ and legacy) are replaced with one NSCharacterSet-based method with custom allowed characters:
https://github.com/mkujalowicz/AppAuth-iOS/tree/url_encoding

I'm using a set of allowed characters similar to what Java URL Encoder has:
https://docs.oracle.com/javase/7/docs/api/java/net/URLEncoder.html
or Ruby:

characters=(0..0x7f).select {|val| URI.encode_www_form([["name", "#{val.chr}"]])  == "name=#{val.chr}"}.inject ("") { |result, object| result + object.chr }

I also added a unit test where the encoding can be verified against mentioned rule. I can submit a pull request if you agree with this change. I've also created a Swift playground where you can test all methods:
https://gist.github.com/mkujalowicz/3903fd7efd695864eca606ccc12e097e
(requires Swift 3)