Skip to content

Conversation

@yilievnet
Copy link

@yilievnet yilievnet commented Aug 28, 2025

Problem

When a token request returns a non-2xx HTTP status (for example 400), AppAuth currently exposes only the response body and status code in the resulting NSError.
There is no way for SDK users to access the response headers, which are required in some flows.

Solution

Include HTTPURLResponse.allHeaderFields in the NSError.userInfo for non-2xx responses under a new exported key:

extern NSString *const OIDHTTPResponseHeadersKey;

This change is minimal and fully backward compatible. Successful responses are not affected.

Background

DPoP (RFC 9449 §8) specifies a case where an authorization server responds to a token request with a 400 status and includes a DPoP-Nonce header. Clients must extract this nonce and retry the request with a re-signed proof.

Without access to the response headers, it is impossible to implement a compliant DPoP flow using AppAuth.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant