Start the incremental authorization flow by creating OIDAuthorizationRequest.

GoogleSignIn/Sources/GIDGoogleUser.m

@@ -23,6 +23,7 @@
 #import "GoogleSignIn/Sources/GIDEMMSupport.h"
 #import "GoogleSignIn/Sources/GIDProfileData_Private.h"
 #import "GoogleSignIn/Sources/GIDSignIn_Private.h"
+#import "GoogleSignIn/Sources/GIDSignInConstants.h"
 #import "GoogleSignIn/Sources/GIDSignInPreferences.h"
 #import "GoogleSignIn/Sources/GIDToken_Private.h"
 
@@ -43,10 +44,6 @@
 static NSString *const kProfileDataKey = @"profileData";
 static NSString *const kAuthStateKey = @"authState";
 
-// Parameters for the token exchange endpoint.
-static NSString *const kAudienceParameter = @"audience";
-static NSString *const kOpenIDRealmParameter = @"openid.realm";
-
 // Additional parameter names for EMM.
 static NSString *const kEMMSupportParameterName = @"emm_support";
 

GoogleSignIn/Sources/GIDSignIn.m

@@ -22,6 +22,7 @@
 #import "GoogleSignIn/Sources/Public/GoogleSignIn/GIDSignInResult.h"
 
 #import "GoogleSignIn/Sources/GIDEMMSupport.h"
+#import "GoogleSignIn/Sources/GIDSignInConstants.h"
 #import "GoogleSignIn/Sources/GIDSignInInternalOptions.h"
 #import "GoogleSignIn/Sources/GIDSignInPreferences.h"
 #import "GoogleSignIn/Sources/GIDCallbackQueue.h"
@@ -124,14 +125,6 @@
 // The delay before the new sign-in flow can be presented after the existing one is cancelled.
 static const NSTimeInterval kPresentationDelayAfterCancel = 1.0;
 
-// Parameters for the auth and token exchange endpoints.
-static NSString *const kAudienceParameter = @"audience";
-// See b/11669751 .
-static NSString *const kOpenIDRealmParameter = @"openid.realm";
-static NSString *const kIncludeGrantedScopesParameter = @"include_granted_scopes";
-static NSString *const kLoginHintParameter = @"login_hint";
-static NSString *const kHostedDomainParameter = @"hd";
-
 // Minimum time to expiration for a restored access token.
 static const NSTimeInterval kMinimumRestoredAccessTokenTimeToExpire = 600.0;
 

GoogleSignIn/Sources/GIDSignInConstants.h

@@ -0,0 +1,25 @@
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#import <Foundation/Foundation.h>
+
+// Parameters for the auth and token exchange endpoints.
+extern NSString *const kAudienceParameter;
+// See b/11669751 .
+extern NSString *const kOpenIDRealmParameter;
+extern NSString *const kIncludeGrantedScopesParameter;
+extern NSString *const kLoginHintParameter;
+extern NSString *const kHostedDomainParameter;

GoogleSignIn/Sources/GIDSignInConstants.m

@@ -0,0 +1,27 @@
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#import <Foundation/Foundation.h>
+
+#import "GoogleSignIn/Sources/GIDSignInConstants.h"
+
+// Parameters for the auth and token exchange endpoints.
+NSString *const kAudienceParameter = @"audience";
+// See b/11669751 .
+NSString *const kOpenIDRealmParameter = @"openid.realm";
+NSString *const kIncludeGrantedScopesParameter = @"include_granted_scopes";
+NSString *const kLoginHintParameter = @"login_hint";
+NSString *const kHostedDomainParameter = @"hd";

GoogleSignIn/Sources/GIDVerifyAccountDetail/Implementations/GIDVerifyAccountDetail.m

@@ -22,10 +22,67 @@
 
 #import "GoogleSignIn/Sources/GIDSignInInternalOptions.h"
 #import "GoogleSignIn/Sources/GIDSignInCallbackSchemes.h"
+#import "GoogleSignIn/Sources/GIDSignInConstants.h"
+#import "GoogleSignIn/Sources/GIDSignInPreferences.h"
 
-#if TARGET_OS_IOS
+@import GTMAppAuth;
 
-@implementation GIDVerifyAccountDetail
+#ifdef SWIFT_PACKAGE
+@import AppAuth;
+@import GTMSessionFetcherCore;
+#else
+#import <AppAuth/OIDAuthorizationRequest.h>
+#import <AppAuth/OIDResponseTypes.h>
+#import <AppAuth/OIDServiceConfiguration.h>
+#endif
+
+#if TARGET_OS_IOS && !TARGET_OS_MACCATALYST
+
+// The URL template for the authorization endpoint.
+static NSString *const kAuthorizationURLTemplate = @"https://%@/o/oauth2/v2/auth";
+
+// The URL template for the token endpoint.
+static NSString *const kTokenURLTemplate = @"https://%@/token";
+
+// Expected path in the URL scheme to be handled.
+static NSString *const kBrowserCallbackPath = @"/oauth2callback";
+
+@implementation GIDVerifyAccountDetail {
+  // AppAuth configuration object.
+  OIDServiceConfiguration *_appAuthConfiguration;
+}
+
+- (nullable instancetype)initWithConfig:(GIDConfiguration *)configuration {
+  self = [super init];
+  if (self) {
+    _configuration = configuration;
+
+    NSString *authorizationEndpointURL = [NSString stringWithFormat:kAuthorizationURLTemplate,
+        [GIDSignInPreferences googleAuthorizationServer]];
+    NSString *tokenEndpointURL = [NSString stringWithFormat:kTokenURLTemplate,
+        [GIDSignInPreferences googleTokenServer]];
+    _appAuthConfiguration = [[OIDServiceConfiguration alloc]
+        initWithAuthorizationEndpoint:[NSURL URLWithString:authorizationEndpointURL]
+                        tokenEndpoint:[NSURL URLWithString:tokenEndpointURL]];
+  }
+  return self;
+}
+
+- (nullable instancetype)init {
+  GIDConfiguration *configuration;
+  NSBundle *bundle = NSBundle.mainBundle;
+  if (bundle) {
+    configuration = [GIDConfiguration configurationFromBundle:bundle];
+  }
+
+  if (!configuration) {
+    return nil;
+  }
+
+  return [self initWithConfig:configuration];
+}
+
+#pragma mark - Public methods
 
 - (void)verifyAccountDetails:(NSArray<GIDVerifiableAccountDetail *> *)accountDetails
     presentingViewController:(UIViewController *)presentingViewController
@@ -42,11 +99,6 @@ - (void)verifyAccountDetails:(NSArray<GIDVerifiableAccountDetail *> *)accountDet
                         hint:(nullable NSString *)hint
                   completion:(nullable void (^)(GIDVerifiedAccountDetailResult *_Nullable verifyResult,
                                                 NSError *_Nullable error))completion {
-  NSBundle *bundle = NSBundle.mainBundle;
-  if (bundle) {
-    _configuration = [GIDConfiguration configurationFromBundle:bundle];
-  }
-
   GIDSignInInternalOptions *options =
   [GIDSignInInternalOptions defaultOptionsWithConfiguration:_configuration
                                    presentingViewController:presentingViewController
@@ -58,10 +110,103 @@ - (void)verifyAccountDetails:(NSArray<GIDVerifiableAccountDetail *> *)accountDet
   [self verifyAccountDetailsInteractivelyWithOptions:options];
 }
 
+#pragma mark - Authentication flow
+
 - (void)verifyAccountDetailsInteractivelyWithOptions:(GIDSignInInternalOptions *)options {
-  // TODO(#397): Sanity checks and start the incremental authorization flow.
+  if (!options.interactive) {
+    return;
+  }
+
+  // Ensure that a configuration is set.
+  if (!_configuration) {
+    // NOLINTNEXTLINE(google-objc-avoid-throwing-exception)
+    [NSException raise:NSInvalidArgumentException
+                format:@"No active configuration. Make sure GIDClientID is set in Info.plist."];
+    return;
+  }
+
+  [self assertValidCurrentUser];
+
+  // Explicitly throw exception for missing client ID here. This must come before
+  // scheme check because schemes rely on reverse client IDs.
+  [self assertValidParameters:options];
+
+  [self assertValidPresentingViewController:options];
+
+  // If the application does not support the required URL schemes tell the developer so.
+  GIDSignInCallbackSchemes *schemes =
+  [[GIDSignInCallbackSchemes alloc] initWithClientIdentifier:options.configuration.clientID];
+  NSArray<NSString *> *unsupportedSchemes = [schemes unsupportedSchemes];
+  if (unsupportedSchemes.count != 0) {
+    // NOLINTNEXTLINE(google-objc-avoid-throwing-exception)
+    [NSException raise:NSInvalidArgumentException
+                format:@"Your app is missing support for the following URL schemes: %@",
+     [unsupportedSchemes componentsJoinedByString:@", "]];
+  }
+  NSURL *redirectURL = [NSURL URLWithString:[NSString stringWithFormat:@"%@:%@",
+                                             [schemes clientIdentifierScheme],
+                                             kBrowserCallbackPath]];
+
+  NSMutableDictionary<NSString *, NSString *> *additionalParameters = [@{} mutableCopy];
+  if (options.configuration.serverClientID) {
+    additionalParameters[kAudienceParameter] = options.configuration.serverClientID;
+  }
+  if (options.loginHint) {
+    additionalParameters[kLoginHintParameter] = options.loginHint;
+  }
+  if (options.configuration.hostedDomain) {
+    additionalParameters[kHostedDomainParameter] = options.configuration.hostedDomain;
+  }
+  additionalParameters[kSDKVersionLoggingParameter] = GIDVersion();
+  additionalParameters[kEnvironmentLoggingParameter] = GIDEnvironment();
+
+  NSMutableArray *scopes;
+  for (GIDVerifiableAccountDetail *detail in options.accountDetailsToVerify) {
+    NSString *scopeString = [detail scope];
+    if (scopeString) {
+      [scopes addObject:scopeString];
+    }
+  }
+
+  // TODO(#405): Use request variable to present request and process response.
+  __unused OIDAuthorizationRequest *request =
+      [[OIDAuthorizationRequest alloc] initWithConfiguration:_appAuthConfiguration
+                                                    clientId:options.configuration.clientID
+                                                      scopes:scopes
+                                                 redirectURL:redirectURL
+                                                responseType:OIDResponseTypeCode
+                                        additionalParameters:additionalParameters];
+}
+
+#pragma mark - Helpers
+
+// Assert that a current user exists.
+- (void)assertValidCurrentUser {
+  if (!GIDSignIn.sharedInstance.currentUser) {
+    // NOLINTNEXTLINE(google-objc-avoid-throwing-exception)
+    [NSException raise:NSInvalidArgumentException
+                format:@"|currentUser| must be set to verify."];
+  }
+}
+
+// Asserts the parameters being valid.
+- (void)assertValidParameters:(GIDSignInInternalOptions *)options {
+  if (![options.configuration.clientID length]) {
+    // NOLINTNEXTLINE(google-objc-avoid-throwing-exception)
+    [NSException raise:NSInvalidArgumentException
+                format:@"You must specify |clientID| in |GIDConfiguration|"];
+  }
+}
+
+// Assert that the presenting view controller has been set.
+- (void)assertValidPresentingViewController:(GIDSignInInternalOptions *)options {
+  if (!options.presentingViewController) {
+    // NOLINTNEXTLINE(google-objc-avoid-throwing-exception)
+    [NSException raise:NSInvalidArgumentException
+                format:@"|presentingViewController| must be set."];
+  }
 }
 
 @end
 
-#endif // TARGET_OS_IOS
+#endif // TARGET_OS_IOS && !TARGET_OS_MACCATALYST

GoogleSignIn/Sources/Public/GoogleSignIn/GIDVerifyAccountDetail.h

@@ -43,6 +43,14 @@ typedef void (^GIDVerifyCompletion)(GIDVerifiedAccountDetailResult *_Nullable ve
 /// The active configuration for this instance of `GIDVerifyAccountDetail`.
 @property(nonatomic, nullable) GIDConfiguration *configuration;
 
+/// Initialize a `GIDVerifyAccountDetail` object by specifying all available properties.
+///
+/// @param config The configuration to be used.
+/// @return An initialized `GIDVerifyAccountDetail` instance.
+///     Otherwise, `nil` if the configuration is invalid or the initializer fails.
+- (nullable instancetype)initWithConfig:(GIDConfiguration *)config
+    NS_DESIGNATED_INITIALIZER;
+
 /// Starts an interactive verification flow.
 ///
 /// The completion will be called at the end of this process.  Any saved verification

GoogleSignIn/Tests/Unit/GIDFakeMainBundle.h

@@ -22,12 +22,32 @@
  */
 @interface GIDFakeMainBundle : NSObject
 
+/**
+ * @fn initWithClientID:serverClientID:hostedDomain:openIDRealm:
+ * @brief Initializes a GIDFakeMainBundle object.
+ * @param clientID The fake client idenfitier for the app.
+ * @param serverClientID The fake server client idenfitier for the app.
+ * @param hostedDomain The fake hosted domain for the app.
+ * @param openIDRealm The fake OpenID realm for the app.
+ */
+- (nullable instancetype)initWithClientID:(nullable id)clientID
+                           serverClientID:(nullable id)serverClientID
+                             hostedDomain:(nullable id)hostedDomain
+                              openIDRealm:(nullable id)openIDRealm 
+    NS_DESIGNATED_INITIALIZER;
+
+/**
+ * @fn startFaking:
+ * @brief Starts faking [NSBundle mainBundle]
+ */
+- (void)startFaking;
+
 /**
  * @fn startFakingWithClientID:
  * @brief Starts faking [NSBundle mainBundle]
  * @param clientID The fake client idenfitier for the app.
  */
-- (void)startFakingWithClientID:(NSString *)clientID;
+- (void)startFakingWithClientID:(nullable NSString *)clientID;
 
 /**
  * @fn stopFaking
@@ -87,9 +107,9 @@
  * @param hostedDomain The fake hosted domain for the app.
  * @param openIDRealm The fake OpenID realm for the app.
  */
-- (void)fakeWithClientID:(id)clientID
-          serverClientID:(id)serverClientID
-            hostedDomain:(id)hostedDomain
-             openIDRealm:(id)openIDRealm;
+- (void)fakeWithClientID:(nullable id)clientID
+          serverClientID:(nullable id)serverClientID
+            hostedDomain:(nullable id)hostedDomain
+             openIDRealm:(nullable id)openIDRealm;
 
 @end