Module HAAPI iOS Driver Documentation

iOS library with classes and functions required to access Curity Identity Server Hypermedia Authentication API (HAAPI) from iOS devices. The library handles client attestation and provides the building blocks to issue HAAPI requests, namely obtaining DPoP access tokens.

Usage examples

Start by creating an HaapiTokenManager

// Create HaapiTokenManager
let tokenEndpoint: URL = ...
let cliendId: String = ...
let haapiTokenManager = HaapiTokenManagerBuilder(tokenEndpoint: tokenEndpoint, 
                                                 clientId: cliendId).build()

Using HaapiClient

When using HaapiClient, it will automatically add all required request headers and manage the session identifier. This includes DPoP tokens and managing the associated nonces.

// Create HaapiClient
let haapiClient = haapiTokenManager.createClient()

// Use HaapiClient to access HAAPI 
// resources access token, proof tokens, associated nonces and session 
// identifiers will be handled automatically when doing requests
let anUrlRequest: URLRequest = ...
haapiClient.performDataTask(for anUrlRequest) { result in
  // ...

Using HaapiTokenManager directly

Otherwise, the DPoP tokens and associated nonces need to be explicitly requested from the HaapiTokenManager and added to the outgoing HAAPI requests:

// Use the HaapiTokenManager to retrieve the DPoP access and proof tokens
let httpRequestMethod: String = ...
let httpRequestTargetURL: URL = ...
let dpopAccessTokenInfo = try! haapiTokenManager.getHaapiToken().get()
let authorizationHeaderValue = dpopAccessTokenInfo.authorizationHeaderValue()
let dpopHeaderValue = dpopAccessTokenInfo.dpopHeaderValue(httpRequestMethod, httpRequestTargetURL)

// Add authorizationHeaderValue, dpopHeaderValue to the Authorization, 
// DPoP request headers respectively

In this case, the session identifier also needs to be handled explicitly.

⚠️ When using <use-legacy-dpop>false</use-legacy-dpop>in the Identity Server configuration and receiving a 401 status code.

If a response with a 401 status code is received, www-authenticate header should be checked.

If this key is present and contains error=\"use_dpop_nonce\", the new DPoP nonce should be extracted from the dpop-nonce header. The failed request should be retried using the new nonce.

Reference Documentation