Add authorization_details field to consent requested details

[sam-muncke]

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

This change adds support for using Rich Authorization Requests (RAR) with the Client Initiated Backchannel Authentication (CIBA) flow. This entails including the authorization_details parameter on the initial authentication request to the AS containing rich JSON objects with a pre-registered type field. Theses authorization_details are then contained in the rich-consents object retrieved by Guardian SDK for rendering to the user during the CIBA flow.

This change modifies the Guardian ConsentRequestedDetails response object to include an authorization_details array property. Since authorization_details can be essentially arbitrary JSON, this PR also implements Json struct to represent it since the concrete type may not be known at compile time. It does this in preference to a more basic construct such as Dictionary<String,Any> as the type must be codable to deserialize the response and it also provides a nicer api for inspecting the content of the object.

In addition, to facilitate the scenario where the concrete type of the authorization_details is known at compile time, a generic helper function filterAuthorizationDetailsByType has also been implemented to provide strongly typed access to these objects where possible.

Examples have been added to the sample app demonstrating usage of each of these methods of querying the authorization_details. One example renders a well-known strongly typed example PaymentInitiation type (this type was taken from the examples in the spec here), the second dynamically renders the properties of an unknown type.

References

• CIBA Spec: https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html
• RAR Spec: https://datatracker.ietf.org/doc/html/rfc9396

Testing

Covered by unit and integration tests. To test e2e:

• Requires CIBA flow and CIBA flow with RAR enabled for you Auth0 tenant.

• Enable CIBA grant on your Auth0 application under application settings.

• Register RAR authorization_details types on the relevant audience API under API settings

• Using the TestApp included in this repo, configure Guardian MFA for iOS using APNs

• Enroll the device for a user

• Initiate a CIBA auth request with and authorization_details parameter (of types that you pre-registered on the API)

• Device should receive a push notification, rendering a consent panel with the CIBA binding message and the authorization_details properties.

• This change adds test coverage for new/changed/fixed functionality

Checklist

• I have added documentation for new/changed functionality in this PR or in auth0.com/docs
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not the default branch