Update `AddScopes` to include previously requested `tokenClaims` in the… (#557)

GoogleSignIn/Sources/GIDSignIn.m

@@ -367,6 +367,14 @@ static NSString *const kConfigOpenIDRealmKey = @"GIDOpenIDRealm";
                                                   addScopesFlow:YES
                                                      completion:completion];
 
+  OIDAuthorizationRequest *lastAuthorizationRequest =
+      self.currentUser.authState.lastAuthorizationResponse.request;
+  NSString *lastTokenClaimsAsJSON =
+      lastAuthorizationRequest.additionalParameters[kTokenClaimsParameter];
+  if (lastTokenClaimsAsJSON) {
+    options.tokenClaimsAsJSON = lastTokenClaimsAsJSON;
+  }
+
   NSSet<NSString *> *requestedScopes = [NSSet setWithArray:scopes];
   NSMutableSet<NSString *> *grantedScopes =
       [NSMutableSet setWithArray:self.currentUser.grantedScopes];
@@ -499,6 +507,14 @@ static NSString *const kConfigOpenIDRealmKey = @"GIDOpenIDRealm";
                                                   addScopesFlow:YES
                                                      completion:completion];
 
+  OIDAuthorizationRequest *lastAuthorizationRequest =
+      self.currentUser.authState.lastAuthorizationResponse.request;
+  NSString *lastTokenClaimsAsJSON =
+      lastAuthorizationRequest.additionalParameters[kTokenClaimsParameter];
+  if (lastTokenClaimsAsJSON) {
+    options.tokenClaimsAsJSON = lastTokenClaimsAsJSON;
+  }
+
   NSSet<NSString *> *requestedScopes = [NSSet setWithArray:scopes];
   NSMutableSet<NSString *> *grantedScopes =
       [NSMutableSet setWithArray:self.currentUser.grantedScopes];
@@ -739,20 +755,23 @@ static NSString *const kConfigOpenIDRealmKey = @"GIDOpenIDRealm";
       }
     }];
   } else {
-    NSError *claimsError;
-
-    // If tokenClaims are invalid or JSON serialization fails, return with an error.
-    options.tokenClaimsAsJSON = [_tokenClaimsInternalOptions
-                                    validatedJSONStringForClaims:options.tokenClaims
-                                                           error:&claimsError];
-    if (claimsError) {
-      if (options.completion) {
-        self->_currentOptions = nil;
-        dispatch_async(dispatch_get_main_queue(), ^{
-          options.completion(nil, claimsError);
-        });
+    // Only serialize tokenClaims if options.tokenClaimsAsJSON isn't already set.
+    if (!options.tokenClaimsAsJSON) {
+      NSError *claimsError;
+
+      // If tokenClaims are invalid or JSON serialization fails, return with an error.
+      options.tokenClaimsAsJSON = [_tokenClaimsInternalOptions
+                                   validatedJSONStringForClaims:options.tokenClaims
+                                                          error:&claimsError];
+      if (claimsError) {
+        if (options.completion) {
+          _currentOptions = nil;
+          dispatch_async(dispatch_get_main_queue(), ^{
+            options.completion(nil, claimsError);
+          });
+        }
+        return;
       }
-      return;
     }
     [self authenticateWithOptions:options];
   }

GoogleSignIn/Tests/Unit/GIDSignInTest.m

@@ -644,6 +644,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                      restoredSignIn:NO
                      oldAccessToken:NO
@@ -661,6 +662,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                      restoredSignIn:YES
                      oldAccessToken:NO
@@ -678,6 +680,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                      restoredSignIn:YES
                      oldAccessToken:YES
@@ -697,6 +700,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                    tokenClaimsError:NO
                      restoredSignIn:NO
@@ -714,6 +718,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                    tokenClaimsError:NO
                      restoredSignIn:NO
@@ -731,6 +736,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                    tokenClaimsError:NO
                      restoredSignIn:NO
@@ -758,6 +764,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                    tokenClaimsError:NO
                      restoredSignIn:NO
@@ -776,6 +783,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                    tokenClaimsError:NO
                      restoredSignIn:NO
@@ -803,6 +811,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                    tokenClaimsError:NO
                      restoredSignIn:NO
@@ -838,6 +847,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                      restoredSignIn:YES
                      oldAccessToken:NO
@@ -856,11 +866,13 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
   OCMStub([_user configuration]).andReturn(configuration);
   OCMStub([_user profile]).andReturn(profile);
   OCMStub([_user grantedScopes]).andReturn(@[kGrantedScope]);
+  OCMStub([_user authState]).andReturn(_authState);
 
   [self OAuthLoginWithAddScopesFlow:YES
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                      restoredSignIn:NO
                      oldAccessToken:NO
@@ -888,6 +900,76 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
   [profile stopMocking];
 }
 
+- (void)testAddScopes_WithPreviouslyRequestedClaims {
+  GIDTokenClaim *authTimeClaim = [GIDTokenClaim authTimeClaim];
+  // Restore the previous sign-in account. This is the preparation for adding scopes.
+  OCMStub(
+    [_keychainStore saveAuthSession:OCMOCK_ANY error:OCMArg.anyObjectRef]
+  ).andDo(^(NSInvocation *invocation) {
+    self->_keychainSaved = self->_saveAuthorizationReturnValue;
+  });
+  [self OAuthLoginWithAddScopesFlow:NO
+                          authError:nil
+                         tokenError:nil
+            emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
+                      keychainError:NO
+                   tokenClaimsError:NO
+                     restoredSignIn:NO
+                     oldAccessToken:NO
+                        modalCancel:NO
+                useAdditionalScopes:NO
+                   additionalScopes:nil
+                        manualNonce:nil
+                        tokenClaims:[NSSet setWithObject:authTimeClaim]];
+
+  XCTAssertNotNil(_signIn.currentUser);
+
+  id profile = OCMStrictClassMock([GIDProfileData class]);
+  OCMStub([profile email]).andReturn(kUserEmail);
+
+  GIDConfiguration *configuration = [[GIDConfiguration alloc] initWithClientID:kClientId
+                                                                serverClientID:nil
+                                                                  hostedDomain:nil
+                                                                   openIDRealm:kOpenIDRealm];
+  OCMStub([_user configuration]).andReturn(configuration);
+  OCMStub([_user profile]).andReturn(profile);
+  OCMStub([_user grantedScopes]).andReturn(@[kGrantedScope]);
+  OCMStub([_user authState]).andReturn(_authState);
+
+  [self OAuthLoginWithAddScopesFlow:YES
+                          authError:nil
+                         tokenError:nil
+            emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:YES
+                      keychainError:NO
+                     restoredSignIn:NO
+                     oldAccessToken:NO
+                        modalCancel:NO];
+
+  NSArray<NSString *> *grantedScopes;
+  NSString *grantedScopeString = _savedAuthorizationRequest.scope;
+
+  if (grantedScopeString) {
+    NSCharacterSet *whiteSpaceChars = [NSCharacterSet whitespaceCharacterSet];
+    grantedScopeString =
+        [grantedScopeString stringByTrimmingCharactersInSet:whiteSpaceChars];
+    NSMutableArray<NSString *> *parsedScopes =
+        [[grantedScopeString componentsSeparatedByString:@" "] mutableCopy];
+    [parsedScopes removeObject:@""];
+    grantedScopes = [parsedScopes copy];
+  }
+
+  NSArray<NSString *> *expectedScopes = @[kNewScope, kGrantedScope];
+  XCTAssertEqualObjects(grantedScopes, expectedScopes);
+  XCTAssertEqualObjects(_savedAuthorizationRequest.additionalParameters[@"claims"],
+                        kNonEssentialAuthTimeClaimsJsonString,
+                        @"Claims JSON should be correctly formatted");
+
+  [_user verify];
+  [profile verify];
+}
+
 - (void)testOpenIDRealm {
   _signIn.configuration = [[GIDConfiguration alloc] initWithClientID:kClientId
                                                       serverClientID:nil
@@ -904,6 +986,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                      restoredSignIn:NO
                      oldAccessToken:NO
@@ -931,6 +1014,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                    tokenClaimsError:NO
                      restoredSignIn:NO
@@ -959,6 +1043,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                      restoredSignIn:NO
                      oldAccessToken:NO
@@ -984,6 +1069,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                      restoredSignIn:NO
                      oldAccessToken:NO
@@ -998,6 +1084,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:@"access_denied"
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                      restoredSignIn:NO
                      oldAccessToken:NO
@@ -1012,6 +1099,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                      restoredSignIn:NO
                      oldAccessToken:NO
@@ -1036,6 +1124,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:YES
                      restoredSignIn:NO
                      oldAccessToken:NO
@@ -1056,6 +1145,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                    tokenClaimsError:YES
                      restoredSignIn:NO
@@ -1093,6 +1183,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                      restoredSignIn:YES
                      oldAccessToken:NO
@@ -1339,6 +1430,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                      restoredSignIn:NO
                      oldAccessToken:NO
@@ -1390,6 +1482,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:nil
             emmPasscodeInfoRequired:YES
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                      restoredSignIn:NO
                      oldAccessToken:NO
@@ -1421,6 +1514,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:callbackParams[@"error"]
                          tokenError:nil
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                      restoredSignIn:NO
                      oldAccessToken:NO
@@ -1458,6 +1552,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:nil
                          tokenError:emmError
             emmPasscodeInfoRequired:NO
+          tokenClaimsAsJSONRequired:NO
                       keychainError:NO
                      restoredSignIn:NO
                      oldAccessToken:NO
@@ -1542,6 +1637,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:(NSString *)authError
                          tokenError:(NSError *)tokenError
             emmPasscodeInfoRequired:(BOOL)emmPasscodeInfoRequired
+          tokenClaimsAsJSONRequired:(BOOL)tokenClaimsAsJSONRequired
                       keychainError:(BOOL)keychainError
                      restoredSignIn:(BOOL)restoredSignIn
                      oldAccessToken:(BOOL)oldAccessToken
@@ -1550,6 +1646,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:authError
                          tokenError:tokenError
             emmPasscodeInfoRequired:emmPasscodeInfoRequired
+          tokenClaimsAsJSONRequired:tokenClaimsAsJSONRequired
                       keychainError:keychainError
                    tokenClaimsError:NO
                      restoredSignIn:restoredSignIn
@@ -1566,6 +1663,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
                           authError:(NSString *)authError
                          tokenError:(NSError *)tokenError
             emmPasscodeInfoRequired:(BOOL)emmPasscodeInfoRequired
+          tokenClaimsAsJSONRequired:(BOOL)tokenClaimsAsJSONRequired
                       keychainError:(BOOL)keychainError
                    tokenClaimsError:(BOOL)tokenClaimsError
                      restoredSignIn:(BOOL)restoredSignIn
@@ -1582,8 +1680,9 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
     [[[_authState expect] andReturnValue:[NSNumber numberWithBool:isAuthorized]] isAuthorized];
   }
 
-  NSDictionary<NSString *, NSString *> *additionalParameters = emmPasscodeInfoRequired ?
-      @{ @"emm_passcode_info_required" : @"1" } : nil;
+  NSDictionary<NSString *, NSString *> *additionalParameters =
+      [self additionalParametersWithEMMPasscodeInfoRequired:emmPasscodeInfoRequired
+                                  tokenClaimsAsJSONRequired:tokenClaimsAsJSONRequired];
   OIDAuthorizationResponse *authResponse =
       [OIDAuthorizationResponse testInstanceWithAdditionalParameters:additionalParameters
                                                                nonce:nonce
@@ -1646,6 +1745,7 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
       self->_authError = error;
     };
     if (addScopesFlow) {
+      [[[_authState expect] andReturn:authResponse] lastAuthorizationResponse];
       [_signIn addScopes:@[kNewScope]
 #if TARGET_OS_IOS || TARGET_OS_MACCATALYST
         presentingViewController:_presentingViewController
@@ -1846,4 +1946,22 @@ static NSString *const kNonEssentialAuthTimeClaimsJsonString =
   }
 }
 
+#pragma mark - Private Helpers
+
+- (NSDictionary<NSString *, NSString *> *)
+    additionalParametersWithEMMPasscodeInfoRequired:(BOOL)emmPasscodeInfoRequired
+                          tokenClaimsAsJSONRequired:(BOOL)tokenClaimsAsJSONRequired {
+  NSMutableDictionary<NSString *, NSString *> *additionalParameters =
+      [NSMutableDictionary dictionary];
+
+  if (emmPasscodeInfoRequired) {
+    additionalParameters[@"emm_passcode_info_required"] = @"1";
+  }
+  if (tokenClaimsAsJSONRequired) {
+    additionalParameters[@"claims"] = kNonEssentialAuthTimeClaimsJsonString;
+  }
+
+  return [additionalParameters copy];
+}
+
 @end

GoogleSignIn/Tests/Unit/OIDAuthorizationRequest+Testing.h

@@ -29,6 +29,6 @@ extern NSString * _Nonnull const OIDAuthorizationRequestTestingCodeVerifier;
 
 + (instancetype _Nonnull)testInstance;
 
-+ (instancetype _Nonnull)testInstanceWithNonce:(nullable NSString *)nonce;
-
++ (instancetype _Nonnull)testInstanceWithNonce:(nullable NSString *)nonce
+                          additionalParameters:(nullable NSDictionary<NSString *, NSString *> *)additionalParameters;
 @end

GoogleSignIn/Tests/Unit/OIDAuthorizationRequest+Testing.m

@@ -32,10 +32,12 @@ NSString *const OIDAuthorizationRequestTestingCodeVerifier = @"codeVerifier";
 @implementation OIDAuthorizationRequest (Testing)
 
 + (instancetype)testInstance {
-  return [self testInstanceWithNonce:nil];
+  return [self testInstanceWithNonce:nil additionalParameters:nil];
 }
 
-+ (instancetype)testInstanceWithNonce:(nullable NSString *)nonce {
++ (instancetype)testInstanceWithNonce:(nullable NSString *)nonce
+                 additionalParameters:
+                     (nullable NSDictionary<NSString *, NSString *> *)additionalParameters {
   return [[OIDAuthorizationRequest alloc]
       initWithConfiguration:[OIDServiceConfiguration testInstance]
                    clientId:OIDAuthorizationRequestTestingClientID
@@ -44,7 +46,7 @@ NSString *const OIDAuthorizationRequestTestingCodeVerifier = @"codeVerifier";
                 redirectURL:[NSURL URLWithString:@"http://test.com"]
                responseType:OIDResponseTypeCode
                       nonce:nonce
-       additionalParameters:nil];
+       additionalParameters:additionalParameters];
 }
 
 @end

GoogleSignIn/Tests/Unit/OIDAuthorizationResponse+Testing.m

@@ -46,7 +46,10 @@
       [parameters addEntriesFromDictionary:additionalParameters];
     }
   }
-  return [[OIDAuthorizationResponse alloc] initWithRequest:[OIDAuthorizationRequest testInstanceWithNonce:nonce]
+  OIDAuthorizationRequest *request =
+      [OIDAuthorizationRequest testInstanceWithNonce:nonce
+                                additionalParameters:additionalParameters];
+  return [[OIDAuthorizationResponse alloc] initWithRequest:request
                                                 parameters:parameters];
 }