More validation of OAuth error responses

It's possible a server may respond a response in JSON with the key "error" that does not conform to Section 5.2 of RFC 6749. https://tools.ietf.org/html/rfc6749#section-5.2
manotnemanja · Sep 27, 2018 · a007c2d · a007c2d
1 parent 670c082
commit a007c2d
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/Source/OIDErrorUtilities.m b/Source/OIDErrorUtilities.m
@@ -66,7 +66,8 @@ + (NSError *)OAuthErrorWithDomain:(NSString *)oAuthErrorDomain
   // not a valid OAuth error
   if (![self isOAuthErrorDomain:oAuthErrorDomain]
       || !errorResponse
-      || !errorResponse[OIDOAuthErrorFieldError]) {
+      || !errorResponse[OIDOAuthErrorFieldError]
+      || ![errorResponse[OIDOAuthErrorFieldError] isKindOfClass:[NSString class]]) {
     return [[self class] errorWithCode:OIDErrorCodeNetworkError
                        underlyingError:underlyingError
                            description:underlyingError.localizedDescription];
@@ -80,8 +81,18 @@ + (NSError *)OAuthErrorWithDomain:(NSString *)oAuthErrorDomain
   }
 
   NSString *oauthErrorCodeString = errorResponse[OIDOAuthErrorFieldError];
-  NSString *oauthErrorMessage = errorResponse[OIDOAuthErrorFieldErrorDescription];
-  NSString *oauthErrorURI = errorResponse[OIDOAuthErrorFieldErrorURI];
+  NSString *oauthErrorMessage = nil;
+  if ([errorResponse[OIDOAuthErrorFieldErrorDescription] isKindOfClass:[NSString class]]) {
+    oauthErrorMessage = errorResponse[OIDOAuthErrorFieldErrorDescription];
+  } else {
+    oauthErrorMessage = [errorResponse[OIDOAuthErrorFieldErrorDescription] description];
+  }
+  NSString *oauthErrorURI = nil;
+  if ([errorResponse[OIDOAuthErrorFieldErrorURI] isKindOfClass:[NSString class]]) {
+    oauthErrorURI = errorResponse[OIDOAuthErrorFieldErrorURI];
+  } else {
+    oauthErrorURI = [errorResponse[OIDOAuthErrorFieldErrorURI] description];
+  }
 
   // builds the error description, using the information supplied by the server if possible
   NSMutableString *description = [NSMutableString string];