Skip to content

Expose HTTP response headers in NSError for non-2xx responses #936

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Expose HTTP response headers in NSError for non-2xx responses #936

wants to merge 1 commit into from

Conversation

yilievnet
Copy link

@yilievnet yilievnet commented Aug 28, 2025
edited
Loading

Problem

When a token request returns a non-2xx HTTP status (for example 400), AppAuth currently exposes only the response body and status code in the resulting NSError.
There is no way for SDK users to access the response headers, which are required in some flows.

Solution

Include HTTPURLResponse.allHeaderFields in the NSError.userInfo for non-2xx responses under a new exported key:

extern NSString *const OIDHTTPResponseHeadersKey;

This change is minimal and fully backward compatible. Successful responses are not affected.

Background

DPoP (RFC 9449 §8) specifies a case where an authorization server responds to a token request with a 400 status and includes a DPoP-Nonce header. Clients must extract this nonce and retry the request with a re-signed proof.

Without access to the response headers, it is impossible to implement a compliant DPoP flow using AppAuth.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yilievnet