[GH-ISSUE #358] Filter Empty Parameters #226

New issue

Closed

opened 2026-03-03 16:46:51 +03:00 by kerem · 6 comments

kerem commented 2026-03-03 16:46:51 +03:00

Owner

Copy link

Originally created by @rhvall on GitHub (Apr 4, 2017).
Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/358

Description:

I have been using OAuthSwift to connect to Salesforce; it might be just salesforce, but I am not using a "secret token" to authenticate to the service in the device, but I only have a client ID and renew token. Later, when I want to get a new token, I pass the client ID and the renew token and I get back a new access token from Salesforce.

The problem is, if I don't have a secret token, when I construct a OAuth2Swift object the renew and I have to pass an empty secret, I get a 401 result, however, if I simply comment the code that appends "client_secret" from the list of parameters, I get the expected result (access token).

OAuth Provider (Twitter, Github, ..):

SalesForce

OAuth Version:

• Version 1
• Version 2

OS (Please fill the version) :

• iOS :
• OSX :
• TVOS :
• WatchOS :

Installation method:

• Carthage
• CocoaPods
• Manually

Library version:

• head
• v1.0.0
• v0.6
• other: (Please fill in the version you are using.)

Xcode version:

• 8.0 (Swift 3.0)

• 8.0 (Swift 2.3)

• 7.3.1

• other: (Please fill in the version you are using.)

• objective c

Proposed Solution

Filter empty or null parameters from the list of parameters before initiating the network request. File "OAuth2Swift", Method: "requestOAuthAccessToken"

Code:

let filteredParams = parameters.filter { $1 != nil && String(describing: $1).isEmpty == false }
        
        if self.contentType == "multipart/form-data" {
            // Request new access token by disabling check on current token expiration. This is safe because the implementation wants the user to retrieve a new token.
            return self.client.postMultiPartRequest(accessTokenUrl, method: .POST, parameters: filteredParams, headers: headers, checkTokenExpiration: false, success: successHandler, failure: failure)
        } else {
            // special headers
            var finalHeaders: OAuthSwift.Headers? = nil
            if accessTokenBasicAuthentification {
                
                let authentification = "\(self.consumerKey):\(self.consumerSecret)".data(using: String.Encoding.utf8)
                if let base64Encoded = authentification?.base64EncodedString(options: Data.Base64EncodingOptions(rawValue: 0)) {
                    finalHeaders += ["Authorization": "Basic \(base64Encoded)"] as OAuthSwift.Headers
                }
            }
            
            // Request new access token by disabling check on current token expiration. This is safe because the implementation wants the user to retrieve a new token.
            return self.client.request(accessTokenUrl, method: .POST, parameters: filteredParams, headers: finalHeaders, checkTokenExpiration: false, success: successHandler, failure: failure)
        }

The first line is what makes the magic, avoid any nil or empty description string. After that is just replacing "parameter" with filteredParams in the request methods.

Originally created by @rhvall on GitHub (Apr 4, 2017). Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/358 ### Description: I have been using OAuthSwift to connect to Salesforce; it might be just salesforce, but I am not using a "secret token" to authenticate to the service in the device, but I only have a client ID and renew token. Later, when I want to get a new token, I pass the client ID and the renew token and I get back a new access token from Salesforce. The problem is, if I don't have a secret token, when I construct a OAuth2Swift object the renew and I have to pass an empty secret, I get a 401 result, however, if I simply comment the code that appends "client_secret" from the list of parameters, I get the expected result (access token). ### OAuth Provider (Twitter, Github, ..): SalesForce ### OAuth Version: - [ ] Version 1 - [X] Version 2 ### OS (Please fill the version) : - [x] iOS : - [ ] OSX : - [ ] TVOS : - [ ] WatchOS : ### Installation method: - [ ] Carthage - [X] CocoaPods - [ ] Manually ### Library version: - [X] head - [ ] v1.0.0 - [ ] v0.6 - [ ] other: (Please fill in the version you are using.) ### Xcode version: - [X] 8.0 (Swift 3.0) - [ ] 8.0 (Swift 2.3) - [ ] 7.3.1 - [ ] other: (Please fill in the version you are using.) - [ ] objective c ### Proposed Solution Filter empty or null parameters from the list of parameters before initiating the network request. File "OAuth2Swift", Method: "requestOAuthAccessToken" Code: ``` let filteredParams = parameters.filter { $1 != nil && String(describing: $1).isEmpty == false } if self.contentType == "multipart/form-data" { // Request new access token by disabling check on current token expiration. This is safe because the implementation wants the user to retrieve a new token. return self.client.postMultiPartRequest(accessTokenUrl, method: .POST, parameters: filteredParams, headers: headers, checkTokenExpiration: false, success: successHandler, failure: failure) } else { // special headers var finalHeaders: OAuthSwift.Headers? = nil if accessTokenBasicAuthentification { let authentification = "\(self.consumerKey):\(self.consumerSecret)".data(using: String.Encoding.utf8) if let base64Encoded = authentification?.base64EncodedString(options: Data.Base64EncodingOptions(rawValue: 0)) { finalHeaders += ["Authorization": "Basic \(base64Encoded)"] as OAuthSwift.Headers } } // Request new access token by disabling check on current token expiration. This is safe because the implementation wants the user to retrieve a new token. return self.client.request(accessTokenUrl, method: .POST, parameters: filteredParams, headers: finalHeaders, checkTokenExpiration: false, success: successHandler, failure: failure) } ``` The first line is what makes the magic, avoid any nil or empty description string. After that is just replacing "parameter" with filteredParams in the request methods.

kerem 2026-03-03 16:46:51 +03:00

• closed this issue
• added the
  enhancement
  question
  labels

kerem commented 2026-03-03 16:46:52 +03:00

Author

Owner

Copy link

@phimage commented on GitHub (Apr 15, 2017):

that's not oauth authentication flow, maybe it's a security issue...
there is consumer secret in salesforce declared app
if you have a refresh/renew token its because you have already connected using secret...

https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com#Token_Refresh

<!-- gh-comment-id:294302921 --> @phimage commented on GitHub (Apr 15, 2017): that's not oauth authentication flow, maybe it's a security issue... there is consumer secret in salesforce declared app if you have a refresh/renew token its because you have already connected using secret... https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com#Token_Refresh

kerem commented 2026-03-03 16:46:52 +03:00

Author

Owner

Copy link

@rhvall commented on GitHub (May 26, 2017):

Hello @phimage,

Thanks for the reference, I have ran the Salesforce example in the project and certainly that helped me to understand the whole flow. Also, I checked that again and you can notice there a very important detail in it:

client_secret Your application's client secret (optional).

The value of client_secret is not mandatory, reason why the flow we have in the app is not using a client secret. If you go back to the section "Obtaining an Access Token in a Browser or Native Application (User-Agent Flow)", you will notice that client_secret is not part of the response, we have almost everything but that.

I hope we can revisit this trouble.

Thanks

<!-- gh-comment-id:304311272 --> @rhvall commented on GitHub (May 26, 2017): Hello @phimage, Thanks for the reference, I have ran the Salesforce example in the project and certainly that helped me to understand the whole flow. Also, I checked that again and you can notice there a very important detail in it: ```client_secret Your application's client secret (optional).``` The value of ```client_secret``` is not mandatory, reason why the flow we have in the app is not using a client secret. If you go back to the section "Obtaining an Access Token in a Browser or Native Application (User-Agent Flow)", you will notice that ```client_secret``` is not part of the response, we have almost everything but that. I hope we can revisit this trouble. Thanks

kerem commented 2026-03-03 16:46:52 +03:00

Author

Owner

Copy link

@phimage commented on GitHub (Jun 2, 2017):

@rhvall could you show me in documentation where client secret is optional
maybe not oauth standard flow, but for JWT token or SAML

<!-- gh-comment-id:305802328 --> @phimage commented on GitHub (Jun 2, 2017): @rhvall could you show me in documentation where client secret is optional maybe not oauth standard flow, but for JWT token or SAML

kerem commented 2026-03-03 16:46:52 +03:00

Author

Owner

Copy link

@rhvall commented on GitHub (Jun 6, 2017):

That line I took is exactly from the link to Salesforce that you had in your response:

https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com#Token_Refresh

If you check the list of elements to send to the server, the "client secret" is an optional value.

<!-- gh-comment-id:306519762 --> @rhvall commented on GitHub (Jun 6, 2017): That line I took is exactly from the link to Salesforce that you had in your response: https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com#Token_Refresh If you check the list of elements to send to the server, the "client secret" is an optional value.

kerem commented 2026-03-03 16:46:52 +03:00

Author

Owner

Copy link

@phimage commented on GitHub (Jun 7, 2017):

client secret here could be optional because refresh token can contain enough information to be trusted, but could also be expired

what I do not understand is how you get a refresh token without this client secret (and so why here stop to use it)
I do not understand the authentification flow

You can PR a code which check if client_secret is empty that do not add it

<!-- gh-comment-id:306709637 --> @phimage commented on GitHub (Jun 7, 2017): client secret here could be optional because refresh token can contain enough information to be trusted, but could also be expired what I do not understand is how you get a refresh token without this client secret (and so why here stop to use it) I do not understand the authentification flow You can PR a code which check if client_secret is empty that do not add it

kerem commented 2026-03-03 16:46:52 +03:00

Author

Owner

Copy link

@phimage commented on GitHub (Aug 14, 2017):

I close, no PR..

<!-- gh-comment-id:322110195 --> @phimage commented on GitHub (Aug 14, 2017): I close, no PR..

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

ci/action/danger

ci/action/release-drafter

pkce

ci/action/tvos

ci/travis

2.1.0

2.0.0

fix/fitbiterror

swift3

digu-demo

swift3.0objc

swift2.2

swift2.3

swift2.0

2.2.0

2.1.2

2.1.1

2.1.0

2.0.1

2.0.0

1.4.1

1.4.0

1.3.0

1.2.2

1.2.1

1.2.0

1.1.2

1.1.1

1.1.0

1.0.0

0.6.0

0.5.2

v0.5.2

0.5.1

0.5.0

0.4.8

0.4.6

v0.4.6

0.4.5

v0.4.5

0.4.4

v0.4.4

0.4.3

0.4.2

0.4.1

v0.4.1

0.4.0

v0.4.0

Swift1.x

0.3.7

v0.3.7

0.3.6

v0.3.6

0.3.5

v0.3.5

0.3.4

v0.3.4

0.3.3

v0.3.3

v0.3.2

0.3.2

0.3.1

v0.3.1

0.3.0

v0.3.0

0.2.1

0.2.0

v0.2.0

0.1.9

0.1.8

0.1.7

v0.1.7

v0.1.6

Labels

Clear labels   

bug

  

cocoapod

  

duplicate

  

enhancement

  

feature-request

  

help wanted

  

help wanted

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

wontfix

No labels

bug

cocoapod

duplicate

enhancement

feature-request

help wanted

help wanted

invalid

pull-request

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/OAuthSwift#226

No description provided.