auth0-swift-major-migration
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAuth0.swift v3 Migration
Auth0.swift v3 迁移指南
Migrates an existing Auth0.swift v2 integration to v3. Every code change is gated on a search that confirms the project actually calls the affected API — if the project never uses , no code is touched. Changes follow the project's existing architecture and Apple platform conventions.
CredentialsManagerCredentialsManager将现有的Auth0.swift v2集成迁移至v3版本。所有代码变更都会基于搜索结果确认项目是否实际调用了受影响的API——如果项目从未使用,则不会修改任何与相关的代码。变更将遵循项目现有的架构和Apple平台规范。
CredentialsManagerCredentialsManagerWhen NOT to Use
不适用场景
- New Auth0 integration (no existing Auth0.swift): Use auth0-swift
- Minor/patch update (e.g., 2.17 → 2.18): Run or update SPM — no migration needed
pod update Auth0 - Android apps: Use auth0-android
- React Native / Expo: Use auth0-react-native or auth0-expo
- 全新Auth0集成(无现有Auth0.swift):使用auth0-swift
- 小版本/补丁更新(例如2.17 → 2.18):运行或更新SPM即可,无需迁移
pod update Auth0 - Android应用:使用auth0-android
- React Native / Expo:使用auth0-react-native或auth0-expo
Prerequisites
前置条件
- Existing Auth0.swift v2 integration
- Xcode installed; project builds cleanly on the current version
- Project under git version control with a clean working tree
- 已集成Auth0.swift v2版本
- 已安装Xcode;当前版本下项目可正常构建
- 项目处于git版本控制下,且工作区干净
Migration Workflow
迁移流程
Agent instruction: Execute every step in order. The goal is a green build with the smallest correct changeset. Each code-change step is gated by the Step 4 file-reading audit — if the API was not found in the project's source files, skip the entire step for that area. Never add code the project doesn't already call.
Agent指令: 按顺序执行每一步。目标是通过最少的正确变更实现构建成功。每个代码变更步骤都受第4步的文件读取审计限制——如果在项目源码中未找到对应API,则跳过该步骤的所有内容。绝对不要添加项目未调用的代码。
Step 1 — Pre-flight & Safety Backup
步骤1 — 预检与安全备份
bash
undefinedbash
undefined1a. Verify clean working tree — stop if there are uncommitted changes
1a. 验证工作区是否干净——如果存在未提交的变更则停止操作
git status --porcelain
If the output is non-empty, ask the user:
> *"You have uncommitted changes. Should I stash them before proceeding (`git stash`), or would you like to commit first?"*
```bashgit status --porcelain
如果输出非空,询问用户:
> *“您有未提交的变更。我应该先暂存它们(`git stash`),还是您先提交这些变更?”*
```bash1b. Create a safety branch the user can reset to at any time
1b. 创建一个安全分支,用户可随时重置到该分支
git checkout -b auth0-v3-migration-backup
git checkout -
```bashgit checkout -b auth0-v3-migration-backup
git checkout -
```bash1c. Pick an available simulator, then confirm the project builds before touching anything
1c. 选择一个可用的模拟器,然后确认项目在未做任何修改前可正常构建
SIM=$(xcrun simctl list devices available -j
| python3 -c "import sys,json; d=json.load(sys.stdin);
phones=[dev for devs in d['devices'].values() for dev in devs
if 'iPhone' in dev.get('name','') and dev.get('isAvailable')];
print(phones[0]['name'] if phones else 'iPhone 16')") xcodebuild build
-scheme <SCHEME>
-destination "platform=iOS Simulator,name=${SIM}"
2>&1 | tail -5
| python3 -c "import sys,json; d=json.load(sys.stdin);
phones=[dev for devs in d['devices'].values() for dev in devs
if 'iPhone' in dev.get('name','') and dev.get('isAvailable')];
print(phones[0]['name'] if phones else 'iPhone 16')") xcodebuild build
-scheme <SCHEME>
-destination "platform=iOS Simulator,name=${SIM}"
2>&1 | tail -5
If the build fails, stop. Ask the user to fix the existing issues first.
---SIM=$(xcrun simctl list devices available -j
| python3 -c "import sys,json; d=json.load(sys.stdin);
phones=[dev for devs in d['devices'].values() for dev in devs
if 'iPhone' in dev.get('name','') and dev.get('isAvailable')];
print(phones[0]['name'] if phones else 'iPhone 16')") xcodebuild build
-scheme <SCHEME>
-destination "platform=iOS Simulator,name=${SIM}"
2>&1 | tail -5
| python3 -c "import sys,json; d=json.load(sys.stdin);
phones=[dev for devs in d['devices'].values() for dev in devs
if 'iPhone' in dev.get('name','') and dev.get('isAvailable')];
print(phones[0]['name'] if phones else 'iPhone 16')") xcodebuild build
-scheme <SCHEME>
-destination "platform=iOS Simulator,name=${SIM}"
2>&1 | tail -5
如果构建失败,停止操作。请用户先修复现有问题。
---Step 2 — Detect Current & Target Versions
步骤2 — 检测当前版本与目标版本
Detect the current Auth0.swift version from the project's dependency files:
bash
undefined从项目的依赖文件中检测当前Auth0.swift版本:
bash
undefinedCheck Package.resolved first (most reliable)
优先检查Package.resolved(最可靠)
find . -name "Package.resolved" | xargs grep -A3 '"auth0/Auth0.swift"|Auth0.swift"' 2>/dev/null | grep '"version"'
find . -name "Package.resolved" | xargs grep -A3 '"auth0/Auth0.swift"|Auth0.swift"' 2>/dev/null | grep '"version"'
Fallback: Podfile.lock
备选:Podfile.lock
grep "^ - Auth0 " Podfile.lock 2>/dev/null
grep "^ - Auth0 " Podfile.lock 2>/dev/null
Fallback: Cartfile.resolved
备选:Cartfile.resolved
grep "auth0/Auth0.swift" Cartfile.resolved 2>/dev/null
grep "auth0/Auth0.swift" Cartfile.resolved 2>/dev/null
Fallback: Package.swift
备选:Package.swift
grep -A2 'auth0/Auth0.swift' Package.swift 2>/dev/null
**Resolve the target version.** There are two paths:
**Path A — the user passed a target version argument (`$ARGUMENTS`):**
Validate it against the published releases before using it. It must pass **all three** checks:
```bashgrep -A2 'auth0/Auth0.swift' Package.swift 2>/dev/null
**确定目标版本**。有两种路径:
**路径A — 用户传入了目标版本参数(`$ARGUMENTS`):**
在使用前先验证其是否符合已发布的版本。必须通过以下**全部三项**检查:
```bashList all published Auth0.swift v3 release tags
列出所有已发布的Auth0.swift v3版本标签
curl -s https://api.github.com/repos/auth0/Auth0.swift/releases | python3 -c "
import sys, json
releases = json.load(sys.stdin)
v3 = [r for r in releases if r['tag_name'].startswith('3') and not r['draft']]
for r in v3:
print(r['tag_name'])
"
1. **Exists** — the requested tag appears in the published release list above.
2. **Correct major** — the tag is within the **v3** major line (starts with `3`). A `2.x` or any other major is not valid; reject it.
3. **Not a downgrade** — the tag is newer than the version detected in the project.
> **On any check failing, STOP and ask the user.** Do not silently fall back. For example:
> - *"`3.9.9` isn't a published Auth0.swift release. Published v3 releases are: `3.0.0-beta.2`, … . Please pass a valid v3 tag, or omit the argument to auto-resolve the latest v3 release."*
> - *"`2.10.0` is a v2 release, not v3. This skill migrates to v3. Pass a v3 tag (e.g. `3.0.0-beta.2`) or omit the argument."*
> - *"`3.0.0-beta.1` is older than the `3.0.0-beta.2` already in your project — that's a downgrade. Pass a newer v3 tag or omit the argument."*
**Path B — no argument: auto-resolve the latest v3 release (including pre-releases):**
```bashcurl -s https://api.github.com/repos/auth0/Auth0.swift/releases | python3 -c "
import sys, json
releases = json.load(sys.stdin)
v3 = [r for r in releases if r['tag_name'].startswith('3') and not r['draft']]
for r in v3:
print(r['tag_name'])
"
1. **存在性** — 请求的标签出现在上述已发布版本列表中。
2. **主版本正确** — 标签属于**v3**主版本系列(以`3`开头)。`2.x`或其他主版本无效,需拒绝。
3. **非降级** — 标签版本比项目中检测到的当前版本更新。
> **如果任何一项检查失败,立即停止并询问用户**。不要静默回退。例如:
> - *“`3.9.9`不是已发布的Auth0.swift版本。已发布的v3版本包括:`3.0.0-beta.2`,……。请传入有效的v3标签,或省略参数以自动选择最新的v3版本。”*
> - *“`2.10.0`是v2版本,不是v3版本。该工具仅用于迁移到v3版本。请传入v3标签(例如`3.0.0-beta.2`)或省略参数。”*
> - *“`3.0.0-beta.1`比您项目中已有的`3.0.0-beta.2`版本旧——这属于降级操作。请传入更新的v3标签或省略参数。”*
**路径B — 无参数:自动选择最新的v3版本(包括预发布版本):**
```bashNewest v3.x release tag (stable or pre-release), most recent first
最新的v3.x版本标签(稳定版或预发布版),按发布时间倒序排列
curl -s https://api.github.com/repos/auth0/Auth0.swift/releases | python3 -c "
import sys, json
releases = json.load(sys.stdin)
v3 = [r for r in releases if r['tag_name'].startswith('3') and not r['draft']]
if v3:
print(v3[0]['tag_name'])
else:
print('')
"
Record the result as `<TARGET_TAG>` and use it in every subsequent step.
> **If `<TARGET_TAG>` is a pre-release** (contains `-beta`, `-rc`, etc.), inform the user before continuing:
> *"The latest v3 release is `<TARGET_TAG>` (a pre-release). I'll migrate to that. You can pin a different tag by passing it as an argument: `auth0-swift-major-migration <tag>`."*
>
> **If no v3 release exists** (the resolver returns empty), stop and tell the user there is no published v3 release to migrate to.
---curl -s https://api.github.com/repos/auth0/Auth0.swift/releases | python3 -c "
import sys, json
releases = json.load(sys.stdin)
v3 = [r for r in releases if r['tag_name'].startswith('3') and not r['draft']]
if v3:
print(v3[0]['tag_name'])
else:
print('')
"
将结果记录为`<TARGET_TAG>`,并在后续所有步骤中使用。
> **如果`<TARGET_TAG>`是预发布版本**(包含`-beta`、`-rc`等),在继续前告知用户:
> *“最新的v3版本是`<TARGET_TAG>`(预发布版)。我将迁移到该版本。您可以通过传入参数指定其他标签:`auth0-swift-major-migration <tag>`。”*
>
> **如果不存在v3版本**(解析结果为空),停止操作并告知用户没有可迁移的已发布v3版本。
---Step 3 — Fetch & Read the v3 SDK Source
步骤3 — 获取并读取v3 SDK源码
Fetch the actual Swift source for the target tag. The signatures here are the authoritative reference for every change made in Step 6.
bash
TAG=<TARGET_TAG> # the version the developer chose in Step 2, e.g. 3.0.0-beta.2获取目标标签对应的Swift源码。这里的签名是第6步中所有变更的权威参考。
bash
TAG=<TARGET_TAG> # 开发者在步骤2中选择的版本,例如3.0.0-beta.2List all public Swift files in the SDK
列出SDK中所有公开的Swift文件
curl -s "https://api.github.com/repos/auth0/Auth0.swift/git/trees/${TAG}?recursive=1"
| python3 -c " import sys, json for item in json.load(sys.stdin).get('tree', []): if item['path'].startswith('Auth0/') and item['path'].endswith('.swift'): print(item['path']) "
| python3 -c " import sys, json for item in json.load(sys.stdin).get('tree', []): if item['path'].startswith('Auth0/') and item['path'].endswith('.swift'): print(item['path']) "
curl -s "https://api.github.com/repos/auth0/Auth0.swift/git/trees/${TAG}?recursive=1"
| python3 -c " import sys, json for item in json.load(sys.stdin).get('tree', []): if item['path'].startswith('Auth0/') and item['path'].endswith('.swift'): print(item['path']) "
| python3 -c " import sys, json for item in json.load(sys.stdin).get('tree', []): if item['path'].startswith('Auth0/') and item['path'].endswith('.swift'): print(item['path']) "
Fetch core public API files
获取核心公开API文件
for FILE in WebAuth.swift CredentialsManager.swift Authentication.swift
Credentials.swift UserProfile.swift Requestable.swift
CredentialsStorage.swift CredentialsManagerError.swift WebAuthError.swift; do URL="https://raw.githubusercontent.com/auth0/Auth0.swift/${TAG}/Auth0/${FILE}" CONTENT=$(curl -sf "$URL") [ -n "$CONTENT" ] && echo "=== $FILE ===" && echo "$CONTENT" done
Credentials.swift UserProfile.swift Requestable.swift
CredentialsStorage.swift CredentialsManagerError.swift WebAuthError.swift; do URL="https://raw.githubusercontent.com/auth0/Auth0.swift/${TAG}/Auth0/${FILE}" CONTENT=$(curl -sf "$URL") [ -n "$CONTENT" ] && echo "=== $FILE ===" && echo "$CONTENT" done
for FILE in WebAuth.swift CredentialsManager.swift Authentication.swift
Credentials.swift UserProfile.swift Requestable.swift
CredentialsStorage.swift CredentialsManagerError.swift WebAuthError.swift; do URL="https://raw.githubusercontent.com/auth0/Auth0.swift/${TAG}/Auth0/${FILE}" CONTENT=$(curl -sf "$URL") [ -n "$CONTENT" ] && echo "=== $FILE ===" && echo "$CONTENT" done
Credentials.swift UserProfile.swift Requestable.swift
CredentialsStorage.swift CredentialsManagerError.swift WebAuthError.swift; do URL="https://raw.githubusercontent.com/auth0/Auth0.swift/${TAG}/Auth0/${FILE}" CONTENT=$(curl -sf "$URL") [ -n "$CONTENT" ] && echo "=== $FILE ===" && echo "$CONTENT" done
MFA files live in a subdirectory
MFA文件位于子目录中
for FILE in MFA/MFAClient.swift MFA/MFAErrors.swift; do
URL="https://raw.githubusercontent.com/auth0/Auth0.swift/${TAG}/Auth0/${FILE}"
CONTENT=$(curl -sf "$URL")
[ -n "$CONTENT" ] && echo "=== $FILE ===" && echo "$CONTENT"
done
Read the fetched source and note:
- Every public method signature that changed (return type, parameters, `throws` added)
- Types that were renamed or removed
- Protocol requirements that changed
- Default parameter values that changed
This is the ground truth. Every change in Step 6 must match a real signature in these files.
---for FILE in MFA/MFAClient.swift MFA/MFAErrors.swift; do
URL="https://raw.githubusercontent.com/auth0/Auth0.swift/${TAG}/Auth0/${FILE}"
CONTENT=$(curl -sf "$URL")
[ -n "$CONTENT" ] && echo "=== $FILE ===" && echo "$CONTENT"
done
读取获取到的源码并记录:
- 所有变更的公开方法签名(返回类型、参数、新增`throws`)
- 重命名或移除的类型
- 变更的协议要求
- 变更的默认参数值
这是最根本的依据。第6步中的所有变更必须与这些文件中的实际签名一致。
---Step 4 — Audit Which Auth0 APIs the Project Uses
步骤4 — 审计项目使用的Auth0 API
Find all Swift files that import Auth0 — these are the scope of the migration:
bash
grep -rl "import Auth0" --include="*.swift" .Read every file from that list. Do not grep for specific API patterns — read the full source so you can see exactly how , , , , and any Auth0 types are used, including calls with domain/clientId parameters, chained builder calls, and any custom conformances.
Auth0webAuthauthenticationcredentialsManagerFor each file, identify:
| What to look for | Why it matters |
|---|---|
Any call to | §6.1 – |
Any call to | §6.1 — rename to |
Switch/catch on | §6.2 — removed and new cases |
| §6.3 — removable in v3 |
Any stored | §6.4 — type changed to |
Test mocks conforming to | §6.4 — return type + |
Any call to | §6.5 — Bool → throws |
Any call to | §6.6 — Bool → throws (both overloads) |
Any access to | §6.7 — replaced by |
Any call to | §6.8 — new error paths |
Any type annotation or declaration using | §6.9 — renamed to |
Any access to | §6.10 — renamed to |
Any type conforming to | §6.11 — method signatures changed |
Any call to | §6.12 — Management client removed |
| §6.13 — MFA methods removed |
Any call to | §6.14 — default scope changed |
Any call to | §6.15 — default minTTL changed from 0 to 60 seconds |
Build a checklist: "This project uses: [list]" and "This project does NOT use: [list]". Only work through the §6.x sections that appear in the "uses" list. Skip the rest entirely.
找到所有导入Auth0的Swift文件——这些是迁移的范围:
bash
grep -rl "import Auth0" --include="*.swift" .读取该列表中的每个文件。不要仅通过grep查找特定API模式——要读取完整源码,以便准确了解、、、以及任何Auth0类型的使用方式,包括带有domain/clientId参数的调用、链式构建器调用和任何自定义协议实现。
Auth0webAuthauthenticationcredentialsManager针对每个文件,识别以下内容:
| 检查内容 | 重要性 |
|---|---|
任何对 | §6.1 – |
任何对 | §6.1 — 重命名为 |
对 | §6.2 — 移除和新增的枚举值 |
使用 | §6.3 — v3中可移除 |
任何存储的 | §6.4 — 类型变更为 |
符合 | §6.4 — 返回类型 + |
任何对 | §6.5 — Bool返回值改为throws |
任何对 | §6.6 — Bool返回值改为throws(两个重载方法) |
对 | §6.7 — 替换为 |
任何对 | §6.8 — 新增错误路径 |
任何使用 | §6.9 — 重命名为 |
对 | §6.10 — 重命名为 |
任何符合 | §6.11 — 方法签名变更 |
任何对 | §6.12 — 移除Management客户端 |
| §6.13 — 移除MFA方法 |
任何未链式调用 | §6.14 — 默认scope变更 |
任何未显式指定 | §6.15 — 默认minTTL从0秒改为60秒 |
创建一个检查清单:“项目使用:[列表]” 和 “项目未使用:[列表]”。仅处理“使用”列表中对应的§6.x部分。完全跳过其余部分。
Step 5 — Update the SDK Dependency
步骤5 — 更新SDK依赖
Apply only the matching package manager.
Use the chosen in Step 2. For stable releases ( with no suffix), use a range specifier. For pre-releases (), pin the exact tag — package managers treat pre-release versions as out-of-range for / rules.
<TARGET_TAG>3.x.y3.x.y-beta.z~>from:Swift Package Manager (Package.swift):
swift
// Stable v3 — range specifier picks up all 3.x.y patches
.package(url: "https://github.com/auth0/Auth0.swift", from: "3.0.0")
// Pre-release / specific beta — exact tag required
.package(url: "https://github.com/auth0/Auth0.swift", exact: "3.0.0-beta.2")Then resolve:
bash
swift package resolveCocoaPods (Podfile):
ruby
undefined仅应用匹配的包管理器配置。
使用步骤2中选择的。对于稳定版本(无后缀的),使用范围指定符。对于预发布版本(),需固定精确标签——包管理器会将预发布版本视为超出 / 规则的范围。
<TARGET_TAG>3.x.y3.x.y-beta.z~>from:Swift Package Manager (Package.swift):
swift
// 稳定v3版本 — 范围指定符会自动获取所有3.x.y补丁版本
.package(url: "https://github.com/auth0/Auth0.swift", from: "3.0.0")
// 预发布/特定beta版本 — 需要精确标签
.package(url: "https://github.com/auth0/Auth0.swift", exact: "3.0.0-beta.2")然后执行解析:
bash
swift package resolveCocoaPods (Podfile):
ruby
// 稳定v3版本
pod 'Auth0', '~> 3.0'
// 预发布/特定beta版本 — 固定精确版本
pod 'Auth0', '3.0.0-beta.2'然后执行:
bash
pod update Auth0Carthage (Cartfile):
plaintext
// 稳定v3版本
github "auth0/Auth0.swift" ~> 3.0
// 预发布/特定beta版本 — 固定精确标签
github "auth0/Auth0.swift" "3.0.0-beta.2"然后执行:
bash
carthage update Auth0.swift --use-xcframeworksXcode管理的SPM(根目录无):
Package.swift- 稳定版: 文件 → 包 → 更新到最新包版本,然后验证版本规则为“从3.0.0开始的下一个主版本”。
- 预发布/特定beta版本: 文件 → 包 → 更新到最新包版本不会解析beta版本,除非依赖已固定精确版本。告知用户将版本规则改为“精确版本”并输入(或所选标签)。
3.0.0-beta.2
此时不要构建——先应用所有已知的代码变更。
Stable v3
步骤6 — 应用破坏性变更
pod 'Auth0', '~> 3.0'
Agent指令: 仅处理步骤4文件读取审计中匹配的§6.x部分。跳过项目未使用的API对应的所有章节——不要修改这些文件。严格按照所示内容应用每个变更。不要修改周边代码、重命名变量、格式化代码或现代化未迁移的代码。匹配项目现有的风格:完成回调→完成回调,async/await→async/await,Combine→Combine。
Pre-release / specific beta — pin the exact version
6.1 — WebAuth.clearSession()
→ WebAuth.logout()
WebAuth.clearSession()WebAuth.logout()pod 'Auth0', '3.0.0-beta.2'
Then:
```bash
pod update Auth0Carthage (Cartfile):
plaintext
undefined适用场景: 步骤4在项目源码中找到任何对的调用。
.clearSession(clearSession(federated:)logout(federated:)完成回调:
swift
// v2
Auth0.webAuth().clearSession { result in
switch result {
case .success: handleLogoutSuccess()
case .failure(let error): handleError(error)
}
}
// v3
Auth0.webAuth().logout { result in
switch result {
case .success: handleLogoutSuccess()
case .failure(let error): handleError(error)
}
}async/await:
swift
// v2
try await Auth0.webAuth().clearSession()
// v3
try await Auth0.webAuth().logout()Combine:
swift
// v2
Auth0.webAuth().clearSession()
.sink(receiveCompletion: { ... }, receiveValue: { ... })
.store(in: &cancellables)
// v3
Auth0.webAuth().logout()
.sink(receiveCompletion: { ... }, receiveValue: { ... })
.store(in: &cancellables)带有参数: 参数名称不变——仅重命名方法:
federated: trueswift
// v2
try await Auth0.webAuth().clearSession(federated: true)
// v3
try await Auth0.webAuth().logout(federated: true)Stable v3
6.2 — WebAuthError
— 移除和新增枚举值(针对穷举switch
语句)
WebAuthErrorswitchgithub "auth0/Auth0.swift" ~> 3.0
适用场景: 步骤4在项目源码中找到任何对使用明确枚举值的或语句。
WebAuthErrorswitchcatchv3版本中移除了两个枚举值。如果项目对使用穷举(或显式匹配这些枚举值),构建会失败。
WebAuthErrorWebAuthErrorswitch新增了三个枚举值以暴露之前隐藏的失败场景。
已移除的枚举值(匹配时会编译失败):
| v2枚举值 | v3行为 |
|---|---|
| 已移除——现在会以 |
| 已移除——现在会以 |
新增的枚举值(现在会出现在/块中):
catchswitch| v3枚举值 | 触发场景 |
|---|---|
| 服务端失败:密码错误、需要MFA、账户锁定等 |
| 令牌交换失败:网络问题、无效授权、后端错误 |
| 登录/登出后,Credentials管理器存储或清除凭据失败;可通过 |
迁移操作——从switch语句中删除已移除的枚举值:
swift
// v2 — 包含已不存在枚举值的穷举switch
Auth0.webAuth().start { result in
switch result {
case .success(let credentials):
handle(credentials)
case .failure(let error):
switch error {
case .userCancelled:
break // 用户取消操作——无需处理
case .pkceNotAllowed:
// ❌ v3中编译错误——移除该枚举值
showConfigError("PKCE not allowed")
default:
showError(error)
}
}
}
// v3 — 删除已移除的枚举值;按需处理新增的枚举值
Auth0.webAuth().start { result in
switch result {
case .success(let credentials):
handle(credentials)
case .failure(let error):
switch error {
case .userCancelled:
break // 用户取消操作——无需处理
case .authenticationFailed:
// 服务端拒绝登录——显示合适的提示信息
showError("登录失败,请检查您的凭据。")
case .codeExchangeFailed:
// 令牌交换失败——网络或服务端问题
showError("出现错误,请重试。")
case .credentialsManagerError:
// 登录成功但无法存储凭据
// 用户在内存中已认证,但下次启动需重新登录
// 可通过error.cause访问底层错误(WebAuthError.cause: Error?)
reportToMonitoring(error.cause)
showError("无法保存您的会话。")
default:
showError(error)
}
}
}如果项目使用async/await并捕获特定枚举值:
swift
// v2
do {
let credentials = try await Auth0.webAuth().start()
handle(credentials)
} catch WebAuthError.userCancelled {
break
} catch WebAuthError.pkceNotAllowed {
// ❌ v3中编译错误——移除该catch块
showConfigError()
} catch {
showError(error)
}
// v3 — 删除已移除的枚举值;如果项目需要处理新增枚举值则添加
do {
let credentials = try await Auth0.webAuth().start()
handle(credentials)
} catch WebAuthError.userCancelled {
break
} catch WebAuthError.authenticationFailed {
showError("登录失败,请检查您的凭据。")
} catch WebAuthError.codeExchangeFailed {
showError("出现错误,请重试。")
} catch {
showError(error)
}新增的和.authenticationFailed枚举值不需要显式处理——.codeExchangeFailed分支已能捕获它们。仅当项目需要为这些失败场景显示不同UI或上报遥测数据时,才添加显式处理分支。default:
Pre-release / specific beta — pin the exact tag
6.3 — 移除WebAuth和CredentialsManager回调周围冗余的主线程调度
github "auth0/Auth0.swift" "3.0.0-beta.2"
Then:
```bash
carthage update Auth0.swift --use-xcframeworksXcode-managed SPM (no at root):
Package.swift- Stable: File → Packages → Update to Latest Package Versions, then verify the version rule is Up to Next Major from 3.0.0.
- Pre-release / specific beta: File → Packages → Update to Latest Package Versions won't resolve a beta unless the dependency already pins an exact version. Tell the user to change the version rule to Exact Version and enter (or the chosen tag).
3.0.0-beta.2
Do not build yet — apply all known code changes first.
适用场景: 步骤4找到使用或包裹Auth0回调体的代码。
DispatchQueue.main.asyncMainActor.run在v3版本中,所有完成回调、Combine发布者和async/await方法都会在主线程返回结果(它们被标记为)。不再需要将回调体包裹在或中,可以移除这些调度代码。
@MainActorDispatchQueue.main.async { }await MainActor.run { }完成回调——移除调度包装器:
swift
// v2 — 手动调度到主线程
credentialsManager.credentials { result in
DispatchQueue.main.async {
switch result {
case .success(let credentials):
self.accessToken = credentials.accessToken
self.isAuthenticated = true
case .failure(let error):
self.authError = error
}
}
}
// v3 — 回调已在主线程返回
credentialsManager.credentials { result in
switch result {
case .success(let credentials):
self.accessToken = credentials.accessToken
self.isAuthenticated = true
case .failure(let error):
self.authError = error
}
}async/await——移除MainActor.run包装器:
swift
// v2
let credentials = try await Auth0.webAuth().start()
await MainActor.run {
self.isAuthenticated = true
}
// v3 — start()是@MainActor方法;await后已处于主线程
let credentials = try await Auth0.webAuth().start()
self.isAuthenticated = true仅移除仅用于保护Auth0回调体的调度包装器。如果块还包含无关的UI操作,仅移除与Auth0回调相关的部分。DispatchQueue.main.async
Step 6 — Apply Breaking Changes
6.4 — Authentication
/ MFAClient
方法返回Requestable
而非Request
— 应用代码和测试mock
AuthenticationMFAClientRequestableRequestAgent instruction: Work through only the §6.x sections that matched during the Step 4 file-reading audit. Skip every section whose API the project does not use — do not touch those files.Apply each change exactly as shown. Do not alter surrounding code, rename variables, reformat, or modernise code that isn't being migrated. Match the project's existing style: completion handler → completion handler, async/await → async/await, Combine → Combine.
适用场景: 步骤4找到以下任一场景:(a) 应用代码中存在存储的类型注解;(b) 测试/mock文件中存在符合、或协议的类型。
Request<…>AuthenticationMFAClientRequestable在v3版本中,所有和方法返回协议类型而非具体的结构体:
AuthenticationMFAClientRequest- 返回凭据的方法(login、codeExchange、renew、ssoExchange等)现在返回
any TokenRequestable<T, E> - 所有其他方法(signup、resetPassword、userInfo、jwks等)现在返回
any Requestable<T, E>
对应用代码的影响: 直接链式调用的调用点——绝大多数场景——无需修改即可编译。唯一会报错的应用代码是存在存储的类型注解的情况:
.start(_:)Request<>swift
// v2 — 将请求存储为带类型的变量
let request: Request<Credentials, AuthenticationError> = Auth0
.authentication()
.login(usernameOrEmail: email, password: password,
realmOrConnection: "Username-Password-Authentication",
audience: audience, scope: scope)
request.start { result in ... }
// v3 — 将类型注解更新为协议类型
// 对于返回凭据的方法:
let request: any TokenRequestable<Credentials, AuthenticationError> = Auth0
.authentication()
.login(usernameOrEmail: email, password: password,
realmOrConnection: "Username-Password-Authentication",
audience: audience, scope: scope)
request.start { result in ... }
// 对于非凭据方法(signup、resetPassword、userInfo、jwks):
let request: any Requestable<DatabaseUser, AuthenticationError> = Auth0
.authentication()
.signup(email: email, password: password, connection: connection)
request.start { result in ... }
// 最常见的模式——直接链式调用,无需注解,无需修改:
Auth0.authentication()
.login(usernameOrEmail: email, password: password,
realmOrConnection: "Username-Password-Authentication",
audience: audience, scope: scope)
.start { result in ... } // ✅ 无需修改现在返回的返回凭据方法(完整列表):
any TokenRequestablelogin(email:code:audience:scope:)login(phoneNumber:code:audience:scope:)login(usernameOrEmail:password:realmOrConnection:audience:scope:)loginDefaultDirectory(withUsername:password:audience:scope:)login(appleAuthorizationCode:fullName:profile:audience:scope:)login(facebookSessionAccessToken:profile:audience:scope:)- — 两个重载方法(使用passkey登录+注册)
login(passkey:challenge:connection:audience:scope:organization:) codeExchange(withCode:codeVerifier:redirectURI:)renew(withRefreshToken:audience:scope:)ssoExchange(withRefreshToken:)customTokenExchange(subjectToken:subjectTokenType:audience:scope:organization:parameters:)- ,
MFAClient.verify(otp:mfaToken:),verify(oobCode:bindingCode:mfaToken:)verify(recoveryCode:mfaToken:)
对测试目标的影响——自定义 mock:
Authentication如果项目的测试目标存在符合或协议的mock或stub,需要进行两项修改:
AuthenticationMFAClient- 返回类型: 将改为
Request<T, E>(凭据方法)或any TokenRequestable<T, E>(其他方法)any Requestable<T, E> - 回调: 添加
start(_:)以匹配更新后的@MainActor协议要求Requestable
swift
// v2 — 测试中的mock Authentication协议实现
class MockAuthentication: Authentication {
var credentialsResult: Result<Credentials, AuthenticationError> = .failure(.init(info: [:], statusCode: 0))
func login(usernameOrEmail username: String,
password: String,
realmOrConnection realm: String,
audience: String?,
scope: String) -> Request<Credentials, AuthenticationError> {
// ❌ v3中编译错误——Request不再是返回类型
return Request(session: URLSession.shared, ...) // v2内部实现——不再可用
}
}
// v2 — 用作stub的mock Requestable
struct MockRequest<T, E: Auth0Error>: Requestable {
let result: Result<T, E>
func start(_ callback: @escaping (Result<T, E>) -> Void) {
// ❌ 缺少@MainActor——不符合v3的Requestable协议
callback(result)
}
}
// v3 — 更新后的mock
struct MockRequest<T, E: Auth0Error>: Requestable {
let result: Result<T, E>
// ✅ 添加@MainActor以匹配协议;通过Task调度满足@MainActor隔离要求
func start(_ callback: @escaping @MainActor (Result<T, E>) -> Void) {
Task { @MainActor in callback(result) }
}
}
// v3 — 更新后的Authentication mock,返回正确的协议类型
class MockAuthentication: Authentication {
var credentialsResult: Result<Credentials, AuthenticationError> = .failure(.init(info: [:], statusCode: 0))
func login(usernameOrEmail username: String,
password: String,
realmOrConnection realm: String,
audience: String?,
scope: String) -> any TokenRequestable<Credentials, AuthenticationError> {
// ✅ 返回MockTokenRequest,而非Request
return MockTokenRequest(result: credentialsResult)
}
}
// v3 — TokenRequestable mock(用于返回凭据的方法)
struct MockTokenRequest<T, E: Auth0Error>: TokenRequestable {
typealias ResultType = T
typealias ErrorType = E
let result: Result<T, E>
func start(_ callback: @escaping @MainActor (Result<T, E>) -> Void) {
Task { @MainActor in callback(result) }
}
// TokenRequestable新增了这些声明验证构建器方法——返回self即可
func validateClaims() -> any TokenRequestable<T, E> { self }
func withLeeway(_ leeway: Int) -> any TokenRequestable<T, E> { self }
func withIssuer(_ issuer: String) -> any TokenRequestable<T, E> { self }
func withNonce(_ nonce: String?) -> any TokenRequestable<T, E> { self }
func withMaxAge(_ maxAge: Int?) -> any TokenRequestable<T, E> { self }
func withOrganization(_ organization: String?) -> any TokenRequestable<T, E> { self }
}上面的stub通过返回MockTokenRequest来实现所有self构建器方法。在大多数测试中,TokenRequestable和validateClaims()修饰符不会被调用,因此返回with*是正确的。如果特定测试需要验证声明验证行为,则需正确实现这些方法。self
6.1 — WebAuth.clearSession()
→ WebAuth.logout()
WebAuth.clearSession()WebAuth.logout()6.5 — CredentialsManager.store(credentials:)
— Bool返回值改为throws
CredentialsManager.store(credentials:)Applies if: Step 4 found any call to in the project's source files.
.clearSession(The method was renamed to . The parameter and its default value are unchanged.
clearSession(federated:)logout(federated:)Completion handler:
swift
// v2
Auth0.webAuth().clearSession { result in
switch result {
case .success: handleLogoutSuccess()
case .failure(let error): handleError(error)
}
}
// v3
Auth0.webAuth().logout { result in
switch result {
case .success: handleLogoutSuccess()
case .failure(let error): handleError(error)
}
}async/await:
swift
// v2
try await Auth0.webAuth().clearSession()
// v3
try await Auth0.webAuth().logout()Combine:
swift
// v2
Auth0.webAuth().clearSession()
.sink(receiveCompletion: { ... }, receiveValue: { ... })
.store(in: &cancellables)
// v3
Auth0.webAuth().logout()
.sink(receiveCompletion: { ... }, receiveValue: { ... })
.store(in: &cancellables)With : The parameter name is the same — just rename the method:
federated: trueswift
// v2
try await Auth0.webAuth().clearSession(federated: true)
// v3
try await Auth0.webAuth().logout(federated: true)适用场景: 步骤4在项目源码中找到任何对的调用。
credentialsManager.store(credentials:store(credentials:)BoolVoid如果项目检查了返回值:
swift
// v2
if credentialsManager.store(credentials: credentials) {
print("存储成功")
} else {
print("存储失败")
}
// v3 — 使用do-catch;将错误映射到项目现有的错误处理逻辑
do {
try credentialsManager.store(credentials: credentials)
} catch {
// 替换为项目已有的日志/错误处理逻辑
handleError(error)
}如果项目忽略了返回值:
swift
// v2 — 静默忽略返回值
_ = credentialsManager.store(credentials: credentials)
// v3 — try?同样会忽略错误;如果项目之前未处理失败则使用该方式
try? credentialsManager.store(credentials: credentials)当项目有可接入的错误处理模式时,优先使用而非do-catch。仅当需要保留有意的静默忽略行为时才使用try?。try?
6.2 — WebAuthError
— removed and new cases in exhaustive switch
statements
WebAuthErrorswitch6.6 — CredentialsManager.clear()
和clear(forAudience:scope:)
— Bool返回值改为throws
CredentialsManager.clear()clear(forAudience:scope:)Applies if: Step 4 found any or on with explicit case names in the project's source files.
switchcatchWebAuthErrorTwo cases were removed in v3. If the project has an exhaustive over (or explicitly matches these cases), the build will fail.
WebAuthErrorswitchWebAuthErrorThree new cases were added to surface previously hidden failures.
Removed cases (will no longer compile if matched):
| v2 case | v3 behaviour |
|---|---|
| Removed — now surfaces as |
| Removed — now surfaces as |
New cases (can now appear in / blocks):
catchswitch| v3 case | When it fires |
|---|---|
| Server-side failure: wrong password, MFA required, account locked, etc. |
| Token exchange failed: network issue, invalid grant, backend error |
| Credentials manager failed to store or clear credentials after login/logout; access the underlying error via |
Migration — remove the deleted cases from switch statements:
swift
// v2 — exhaustive switch including cases that no longer exist
Auth0.webAuth().start { result in
switch result {
case .success(let credentials):
handle(credentials)
case .failure(let error):
switch error {
case .userCancelled:
break // user dismissed — no action needed
case .pkceNotAllowed:
// ❌ compile error in v3 — remove this case
showConfigError("PKCE not allowed")
default:
showError(error)
}
}
}
// v3 — remove the deleted cases; handle the new ones where appropriate
Auth0.webAuth().start { result in
switch result {
case .success(let credentials):
handle(credentials)
case .failure(let error):
switch error {
case .userCancelled:
break // user dismissed — no action needed
case .authenticationFailed:
// server rejected the login — show an appropriate message
showError("Login failed. Please check your credentials.")
case .codeExchangeFailed:
// token exchange failed — network or server issue
showError("Something went wrong. Please try again.")
case .credentialsManagerError:
// login succeeded but credentials could not be stored
// the user is authenticated in memory but will need to log in again next launch
// access the underlying error via error.cause (WebAuthError.cause: Error?)
reportToMonitoring(error.cause)
showError("Could not save your session.")
default:
showError(error)
}
}
}If the project uses async/await and catches specific cases:
swift
// v2
do {
let credentials = try await Auth0.webAuth().start()
handle(credentials)
} catch WebAuthError.userCancelled {
break
} catch WebAuthError.pkceNotAllowed {
// ❌ compile error in v3 — remove this catch
showConfigError()
} catch {
showError(error)
}
// v3 — remove deleted cases; add new ones if the project should handle them
do {
let credentials = try await Auth0.webAuth().start()
handle(credentials)
} catch WebAuthError.userCancelled {
break
} catch WebAuthError.authenticationFailed {
showError("Login failed. Please check your credentials.")
} catch WebAuthError.codeExchangeFailed {
showError("Something went wrong. Please try again.")
} catch {
showError(error)
}The new casesand.authenticationFailedare not required to be handled explicitly — a.codeExchangeFailedbranch already catches them. Only add explicit cases if the project wants to show different UI or telemetry for those failures.default:
适用场景: 步骤4在项目源码中找到任何对或的调用。
credentialsManager.clear()credentialsManager.clear(forAudience:两个重载方法之前都返回。在v3版本中,两个方法都会抛出错误:
Bool- — 清除主存储的凭据
clear() throws - — 清除特定受众的API凭据
clear(forAudience:scope:) throws
swift
// v2
_ = credentialsManager.clear()
_ = credentialsManager.clear(forAudience: "https://api.example.com")
// v3
try? credentialsManager.clear()
try? credentialsManager.clear(forAudience: "https://api.example.com")
// 或者,如果项目需要处理错误:
do {
try credentialsManager.clear()
} catch {
handleError(error)
}6.3 — Remove redundant main-thread dispatch around WebAuth and CredentialsManager callbacks
6.7 — CredentialsManager.user
属性 → userProfile()
抛出方法
CredentialsManager.useruserProfile()Applies if: Step 4 found or wrapping an Auth0 callback body.
DispatchQueue.main.asyncMainActor.runIn v3, all completion-handler callbacks, Combine publishers, and async/await methods deliver results on the main thread (they are ). Wrapping callback bodies in or is no longer necessary and can be removed.
@MainActorDispatchQueue.main.async { }await MainActor.run { }Completion handler callback — remove the dispatch wrapper:
swift
// v2 — dispatch to main manually
credentialsManager.credentials { result in
DispatchQueue.main.async {
switch result {
case .success(let credentials):
self.accessToken = credentials.accessToken
self.isAuthenticated = true
case .failure(let error):
self.authError = error
}
}
}
// v3 — callback already arrives on main thread
credentialsManager.credentials { result in
switch result {
case .success(let credentials):
self.accessToken = credentials.accessToken
self.isAuthenticated = true
case .failure(let error):
self.authError = error
}
}async/await — remove the MainActor.run wrapper:
swift
// v2
let credentials = try await Auth0.webAuth().start()
await MainActor.run {
self.isAuthenticated = true
}
// v3 — start() is @MainActor; already on main thread after the await
let credentials = try await Auth0.webAuth().start()
self.isAuthenticated = trueOnly remove dispatch wrappers that are solely protecting Auth0 callback bodies. If ablock also dispatches unrelated UI work, remove only what's attributable to the Auth0 callback.DispatchQueue.main.async
适用场景: 步骤4在项目源码中找到任何对的属性访问(而非方法调用)。
credentialsManager.useruser: UserInfo?userProfile() throws -> UserProfile?swift
// v2 — 属性访问,返回UserInfo?
func currentUser() -> UserInfo? {
return credentialsManager.user
}
// v3 — 抛出方法调用,返回UserProfile?
func currentUser() -> UserProfile? {
return try? credentialsManager.userProfile()
}
// v3 — 如果项目需要暴露错误:
func loadUser() throws {
let profile = try credentialsManager.userProfile()
self.userProfile = profile
}6.4 — Authentication
/ MFAClient
methods return Requestable
instead of Request
— app code and test mocks
AuthenticationMFAClientRequestableRequest6.8 — CredentialsManager
异步方法 — 抛出存储带来的新错误路径
CredentialsManagerApplies if: Step 4 found either (a) a stored type annotation in app code, or (b) test/mock files with types conforming to , , or .
Request<…>AuthenticationMFAClientRequestableIn v3, all and methods return protocol types rather than the concrete struct:
AuthenticationMFAClientRequest- Credential-returning methods (login, codeExchange, renew, ssoExchange, etc.) now return
any TokenRequestable<T, E> - All other methods (signup, resetPassword, userInfo, jwks, etc.) now return
any Requestable<T, E>
Impact on app code: Call sites that chain directly to — the overwhelming majority — compile without any change. The only app code that breaks is a stored type annotation:
.start(_:)Request<>swift
// v2 — storing the request in a typed variable
let request: Request<Credentials, AuthenticationError> = Auth0
.authentication()
.login(usernameOrEmail: email, password: password,
realmOrConnection: "Username-Password-Authentication",
audience: audience, scope: scope)
request.start { result in ... }
// v3 — update the type annotation to the protocol type
// For credential-returning methods:
let request: any TokenRequestable<Credentials, AuthenticationError> = Auth0
.authentication()
.login(usernameOrEmail: email, password: password,
realmOrConnection: "Username-Password-Authentication",
audience: audience, scope: scope)
request.start { result in ... }
// For non-credential methods (signup, resetPassword, userInfo, jwks):
let request: any Requestable<DatabaseUser, AuthenticationError> = Auth0
.authentication()
.signup(email: email, password: password, connection: connection)
request.start { result in ... }
// Most common pattern — chaining directly, no annotation needed, no change required:
Auth0.authentication()
.login(usernameOrEmail: email, password: password,
realmOrConnection: "Username-Password-Authentication",
audience: audience, scope: scope)
.start { result in ... } // ✅ unchangedCredential-returning methods that now return (full list):
any TokenRequestablelogin(email:code:audience:scope:)login(phoneNumber:code:audience:scope:)login(usernameOrEmail:password:realmOrConnection:audience:scope:)loginDefaultDirectory(withUsername:password:audience:scope:)login(appleAuthorizationCode:fullName:profile:audience:scope:)login(facebookSessionAccessToken:profile:audience:scope:)- — two overloads (sign in + sign up with passkey)
login(passkey:challenge:connection:audience:scope:organization:) codeExchange(withCode:codeVerifier:redirectURI:)renew(withRefreshToken:audience:scope:)ssoExchange(withRefreshToken:)customTokenExchange(subjectToken:subjectTokenType:audience:scope:organization:parameters:)- ,
MFAClient.verify(otp:mfaToken:),verify(oobCode:bindingCode:mfaToken:)verify(recoveryCode:mfaToken:)
Impact on test targets — custom mocks:
AuthenticationIf the project's test target has a mock or stub conforming to the or protocol, two changes are required:
AuthenticationMFAClient- Return type: Change to
Request<T, E>(credential methods) orany TokenRequestable<T, E>(other methods)any Requestable<T, E> - callback: Add
start(_:)to match the updated@MainActorprotocol requirementRequestable
swift
// v2 — mock Authentication conformance in tests
class MockAuthentication: Authentication {
var credentialsResult: Result<Credentials, AuthenticationError> = .failure(.init(info: [:], statusCode: 0))
func login(usernameOrEmail username: String,
password: String,
realmOrConnection realm: String,
audience: String?,
scope: String) -> Request<Credentials, AuthenticationError> {
// ❌ compile error in v3 — Request is no longer the return type
return Request(session: URLSession.shared, ...) // v2 internal — no longer works
}
}
// v2 — mock Requestable used as stub
struct MockRequest<T, E: Auth0Error>: Requestable {
let result: Result<T, E>
func start(_ callback: @escaping (Result<T, E>) -> Void) {
// ❌ @MainActor missing — does not conform to v3 Requestable
callback(result)
}
}
// v3 — updated mock
struct MockRequest<T, E: Auth0Error>: Requestable {
let result: Result<T, E>
// ✅ Add @MainActor to match the protocol; dispatch via Task to satisfy @MainActor isolation
func start(_ callback: @escaping @MainActor (Result<T, E>) -> Void) {
Task { @MainActor in callback(result) }
}
}
// v3 — updated Authentication mock returning the correct protocol type
class MockAuthentication: Authentication {
var credentialsResult: Result<Credentials, AuthenticationError> = .failure(.init(info: [:], statusCode: 0))
func login(usernameOrEmail username: String,
password: String,
realmOrConnection realm: String,
audience: String?,
scope: String) -> any TokenRequestable<Credentials, AuthenticationError> {
// ✅ Return MockTokenRequest, not Request
return MockTokenRequest(result: credentialsResult)
}
}
// v3 — TokenRequestable mock (for credential-returning methods)
struct MockTokenRequest<T, E: Auth0Error>: TokenRequestable {
typealias ResultType = T
typealias ErrorType = E
let result: Result<T, E>
func start(_ callback: @escaping @MainActor (Result<T, E>) -> Void) {
Task { @MainActor in callback(result) }
}
// TokenRequestable adds these claim-validation builder methods — return self
func validateClaims() -> any TokenRequestable<T, E> { self }
func withLeeway(_ leeway: Int) -> any TokenRequestable<T, E> { self }
func withIssuer(_ issuer: String) -> any TokenRequestable<T, E> { self }
func withNonce(_ nonce: String?) -> any TokenRequestable<T, E> { self }
func withMaxAge(_ maxAge: Int?) -> any TokenRequestable<T, E> { self }
func withOrganization(_ organization: String?) -> any TokenRequestable<T, E> { self }
}Thestub above stubs out allMockTokenRequestbuilder methods by returningTokenRequestable. In most tests,selfand thevalidateClaims()modifiers are never called, so returningwith*is correct. If a specific test verifies claim validation behaviour, implement those methods properly.self
适用场景: 步骤4在项目源码中找到任何对的调用。
credentialsManager.revoke(由于存储方法现在会抛出错误,多个异步方法新增了之前被静默忽略的失败路径。最显著的是方法。仅更新项目实际编写的错误处理代码——已使用分支的调用点无需修改。
CredentialsManagerrevoke()default:revoke()| 新错误 | 触发场景 | 处理方式 |
|---|---|---|
| | 视为已登出;导航到登录页面 |
| 撤销刷新令牌的网络请求失败 | 令牌可能仍在服务端有效;显示错误信息 |
| 撤销成功但Keychain删除失败 | 视为已登出——服务端令牌已失效 |
swift
// v2 — 仅可能出现.revokeFailed;无凭据时会静默返回.success
credentialsManager.revoke { result in
switch result {
case .success:
navigateToLogin()
case .failure(let error):
showError(error) // 仅.revokeFailed会进入此处
}
}
// v3 — 新增错误会暴露;如果项目检查特定错误则更新switch
credentialsManager.revoke { result in
switch result {
case .success:
navigateToLogin()
case .failure(let error):
switch error {
case .noCredentials:
// 无存储的凭据——实际上已登出
navigateToLogin()
case .revokeFailed:
// 服务端撤销失败——刷新令牌可能仍有效
showError("无法撤销您的会话,请重试。")
case .clearFailed:
// 服务端令牌已撤销但Keychain删除失败
// 视为已登出——令牌在服务端已失效
navigateToLogin()
default:
showError(error)
}
}
}credentials()renew()apiCredentials()ssoCredentials()| 新错误 | 触发场景 |
|---|---|
| |
| 刷新令牌续期请求失败——网络错误、无效/过期的刷新令牌 |
| 保存续期后的凭据时Keychain写入失败 |
仅当项目现有的/处理程序需要区分这些场景时才需要关注。如果使用通用的回退逻辑,则无需修改。
catchfailureswift
// v3 — 如果项目需要区分存储失败和网络失败:
credentialsManager.credentials { result in
switch result {
case .success(let credentials):
use(credentials)
case .failure(let error):
switch error {
case .noCredentials, .renewFailed:
// 凭据缺失或续期失败——强制重新登录
navigateToLogin()
case .storeFailed:
// 续期成功但无法保存——本次会话内存中的凭据有效
// 用户下次启动需重新登录
reportToMonitoring(error)
use(/* 如果可用,使用最后已知的凭据 */)
default:
showError(error)
}
}
}仅当项目当前对使用CredentialsManagerError且需要区分处理这些场景时,才添加这些新的switch分支。case分支已能正确处理这些错误,无需修改。default:
6.5 — CredentialsManager.store(credentials:)
— Bool return → throws
CredentialsManager.store(credentials:)6.9 — UserInfo
→ UserProfile
类型重命名
UserInfoUserProfileApplies if: Step 4 found any call to in the project's source files.
credentialsManager.store(credentials:store(credentials:)BoolVoidIf the project checked the return value:
swift
// v2
if credentialsManager.store(credentials: credentials) {
print("Stored successfully")
} else {
print("Store failed")
}
// v3 — use do-catch; map the error into the project's existing error handler
do {
try credentialsManager.store(credentials: credentials)
} catch {
// replace with whatever logging/error handling the project already uses
handleError(error)
}If the project discarded the return value:
swift
// v2 — silently discarded
_ = credentialsManager.store(credentials: credentials)
// v3 — try? discards the error the same way; use if the project didn't handle failures before
try? credentialsManager.store(credentials: credentials)Preferoverdo-catchwhen the project has an error-handling pattern to route into. Usetry?only to preserve intentional silent-discard behaviour.try?
适用场景: 步骤4在项目源码中找到任何引用的类型注解、函数签名或变量声明。
UserInfoUserInfoUserProfileUserInfoswift
// v2
var currentUser: UserInfo?
func showProfile(_ profile: UserInfo) { ... }
func fetchUser() -> UserInfo? { ... }
// v3
var currentUser: UserProfile?
func showProfile(_ profile: UserProfile) { ... }
func fetchUser() -> UserProfile? { ... }如果项目调用,方法名称不变但返回类型已变更:
Auth0.authentication().userInfo(withAccessToken:)swift
// v2 — 返回Request<UserInfo, AuthenticationError>
Auth0.authentication()
.userInfo(withAccessToken: accessToken)
.start { (result: Result<UserInfo, AuthenticationError>) in ... }
// v3 — 返回Request<UserProfile, AuthenticationError>
Auth0.authentication()
.userInfo(withAccessToken: accessToken)
.start { (result: Result<UserProfile, AuthenticationError>) in ... }6.6 — CredentialsManager.clear()
and clear(forAudience:scope:)
— Bool return → throws
CredentialsManager.clear()clear(forAudience:scope:)6.10 — Credentials.expiresIn
→ Credentials.expiresAt
Credentials.expiresInCredentials.expiresAtApplies if: Step 4 found any call to or in the project's source files.
credentialsManager.clear()credentialsManager.clear(forAudience:Both overloads previously returned . In v3 both throw:
Bool- — clears the main stored credentials
clear() throws - — clears API credentials for a specific audience
clear(forAudience:scope:) throws
swift
// v2
_ = credentialsManager.clear()
_ = credentialsManager.clear(forAudience: "https://api.example.com")
// v3
try? credentialsManager.clear()
try? credentialsManager.clear(forAudience: "https://api.example.com")
// or, if the project handles errors:
do {
try credentialsManager.clear()
} catch {
handleError(error)
}适用场景: 步骤4在项目源码中找到任何对、或对象的属性的访问。
CredentialsAPICredentialsSSOCredentials.expiresInCredentialsAPICredentialsSSOCredentialsexpiresIn: DateexpiresAt: Dateswift
// v2
let expiry: Date = credentials.expiresIn
// v3
let expiry: Date = credentials.expiresAt6.7 — CredentialsManager.user
property → userProfile()
throwing method
CredentialsManager.useruserProfile()6.11 — CredentialsStorage
自定义实现 — 方法现在会抛出错误
CredentialsStorageApplies if: Step 4 found any access to as a property (not a method call) in the project's source files.
credentialsManager.userThe computed property was replaced by (see also §6.9 for the type rename).
user: UserInfo?userProfile() throws -> UserProfile?swift
// v2 — property access, returns UserInfo?
func currentUser() -> UserInfo? {
return credentialsManager.user
}
// v3 — method call that throws, returns UserProfile?
func currentUser() -> UserProfile? {
return try? credentialsManager.userProfile()
}
// v3 — if the project needs to surface errors:
func loadUser() throws {
let profile = try credentialsManager.userProfile()
self.userProfile = profile
}适用场景: 步骤4在项目源码中找到符合协议的类型。如果项目仅使用实例则跳过——默认存储无需修改。
CredentialsStorageSimpleKeychain仅适用于项目提供自定义实现的场景(即符合该协议的类型——而非仅使用默认的实例)。如果项目仅使用实例则跳过。
CredentialsStorageSimpleKeychainSimpleKeychain协议已从返回Bool/Data?改为抛出方法,并新增了必填的方法。
deleteAllEntries()swift
// v2 — 协议实现
final class AppKeychain: CredentialsStorage {
func getEntry(forKey key: String) -> Data? {
return Keychain.shared.read(key: key)
}
func setEntry(_ data: Data, forKey key: String) -> Bool {
return Keychain.shared.write(data, forKey: key)
}
func deleteEntry(forKey key: String) -> Bool {
return Keychain.shared.delete(key: key)
}
}
// v3 — 方法抛出错误;新增deleteAllEntries()方法
final class AppKeychain: CredentialsStorage {
func getEntry(forKey key: String) throws -> Data {
guard let data = Keychain.shared.read(key: key) else {
throw CredentialsManagerError.noCredentials
}
return data
}
func setEntry(_ data: Data, forKey key: String) throws {
guard Keychain.shared.write(data, forKey: key) else {
throw CredentialsManagerError.storeFailed
}
}
func deleteEntry(forKey key: String) throws {
guard Keychain.shared.delete(key: key) else {
throw CredentialsManagerError.revokeFailed
}
}
func deleteAllEntries() throws {
Keychain.shared.deleteAll()
}
}协议声明其方法为CredentialsStorage但无特定错误类型——您可以抛出任何throws。上面的示例仅为说明使用Error枚举值;您的实现应抛出适合您存储后端的错误类型。如果选择复用这些枚举值,请在步骤3获取的SDK源码中验证CredentialsManagerError枚举值名称。CredentialsManagerError
6.8 — CredentialsManager
async methods — new error paths from throwing storage
CredentialsManager6.12 — 移除Management客户端
Applies if: Step 4 found any call to in the project's source files.
credentialsManager.revoke(Because storage methods now throw, several async methods gain new failure paths that were previously silently swallowed. The most significant is . Only update error-handling code that the project actually writes — call sites that already use a branch need no change.
CredentialsManagerrevoke()default:New errors that can now surface from :
revoke()| New error | When it fires | What to do |
|---|---|---|
| | Treat as already logged out; navigate to login |
| Network call to revoke the refresh token failed | The token may still be active on the server; show an error |
| Revocation succeeded but Keychain delete failed | Treat as logged out — the token is no longer valid server-side |
swift
// v2 — only .revokeFailed was possible; missing credentials returned .success silently
credentialsManager.revoke { result in
switch result {
case .success:
navigateToLogin()
case .failure(let error):
showError(error) // only .revokeFailed reached here
}
}
// v3 — new cases surface; update the switch if the project checks specific cases
credentialsManager.revoke { result in
switch result {
case .success:
navigateToLogin()
case .failure(let error):
switch error {
case .noCredentials:
// nothing was stored — already effectively logged out
navigateToLogin()
case .revokeFailed:
// server revocation failed — refresh token may still be active
showError("Could not revoke your session. Please try again.")
case .clearFailed:
// token revoked server-side but Keychain delete failed
// treat as logged out — token is no longer valid
navigateToLogin()
default:
showError(error)
}
}
}New errors that can now surface from , , , :
credentials()renew()apiCredentials()ssoCredentials()| New error | When it fires |
|---|---|
| |
| Refresh token renewal request failed — network error, invalid/expired refresh token |
| Keychain write fails when saving renewed credentials |
These only matter if the project's existing / handler needs to distinguish these cases. If it uses a generic fallback, no change is needed.
catchfailureswift
// v3 — if the project wants to distinguish storage failures from network failures:
credentialsManager.credentials { result in
switch result {
case .success(let credentials):
use(credentials)
case .failure(let error):
switch error {
case .noCredentials, .renewFailed:
// credentials missing or refresh failed — force re-login
navigateToLogin()
case .storeFailed:
// renewed successfully but couldn't save — credentials valid in memory this session
// user will be asked to log in again on next launch
reportToMonitoring(error)
use(/* last known credentials if available */)
default:
showError(error)
}
}
}Only add these newbranches if the project currently has acaseonswitchthat would benefit from handling them differently. ACredentialsManagerErrorbranch already handles them correctly without any change.default:
适用场景: 步骤4在项目源码中找到任何对或的调用。
Auth0.users(Auth0.users(token:Auth0.users(token:)UsersTODOswift
// v2 — 应用中的直接Management API调用
Auth0
.users(token: managementToken)
.patch(userId, userPatch: UserPatchAttributes(name: newName))
.start { result in
switch result {
case .success: print("更新成功")
case .failure(let error): print(error)
}
}
// v3 — Management客户端已移除;添加TODO并保留意图
// TODO: Auth0.swift v3已移除Management客户端。
// 请将此替换为调用您自己的后端端点,该端点
// 使用机器到机器令牌调用Auth0 Management API。
// 绝对不要在客户端应用中嵌入Management API令牌。
// 参考:https://auth0.com/docs/secure/tokens/access-tokens/management-api-access-tokens这需要后端工作——在步骤9的总结中记录。
6.9 — UserInfo
→ UserProfile
type rename
UserInfoUserProfile6.13 — 从Authentication
中移除MFA方法 → 迁移到MFAClient
AuthenticationMFAClientApplies if: Step 4 found any type annotation, function signature, or variable declaration referencing in the project's source files.
UserInfoThe type was renamed to . Update every type annotation, function signature, and variable declaration that references .
UserInfoUserProfileUserInfoswift
// v2
var currentUser: UserInfo?
func showProfile(_ profile: UserInfo) { ... }
func fetchUser() -> UserInfo? { ... }
// v3
var currentUser: UserProfile?
func showProfile(_ profile: UserProfile) { ... }
func fetchUser() -> UserProfile? { ... }If the project calls , the method name is unchanged but the return type changed:
Auth0.authentication().userInfo(withAccessToken:)swift
// v2 — returns Request<UserInfo, AuthenticationError>
Auth0.authentication()
.userInfo(withAccessToken: accessToken)
.start { (result: Result<UserInfo, AuthenticationError>) in ... }
// v3 — returns Request<UserProfile, AuthenticationError>
Auth0.authentication()
.userInfo(withAccessToken: accessToken)
.start { (result: Result<UserProfile, AuthenticationError>) in ... }适用场景: 步骤4在项目源码中找到任何对、、或的调用——或符合协议的测试mock。
login(withOTP:login(withOOBCode:login(withRecoveryCode:multifactorChallenge(MFAClientAuthenticationMFAClientAuth0.mfa()v2 ( | v3 ( |
|---|---|
| |
| |
| |
| |
mfaTokenerror.isMultifactorRequired == trueAuthenticationErrorerror.mfaRequiredErrorPayload?.mfaTokenOTP(TOTP认证器应用):
swift
// v2
Auth0.authentication()
.login(withOTP: otpCode, mfaToken: mfaToken)
.start { result in
switch result {
case .success(let credentials): storeCredentials(credentials)
case .failure(let error): showError(error)
}
}
// v3 — verify返回any TokenRequestable<Credentials, MFAVerifyError>
Auth0.mfa()
.verify(otp: otpCode, mfaToken: mfaToken)
.start { result in
switch result {
case .success(let credentials): storeCredentials(credentials)
case .failure(let error): showError(error)
}
}
// async/await
let credentials = try await Auth0.mfa().verify(otp: otpCode, mfaToken: mfaToken).start()OOB(短信/邮件验证码):
swift
// v2
Auth0.authentication()
.login(withOOBCode: oobCode, mfaToken: mfaToken, bindingCode: bindingCode)
.start { result in ... }
// v3 — 参数顺序变更:oobCode在前,bindingCode在后
Auth0.mfa()
.verify(oobCode: oobCode, bindingCode: bindingCode, mfaToken: mfaToken)
.start { result in ... }恢复码:
swift
// v2
Auth0.authentication()
.login(withRecoveryCode: recoveryCode, mfaToken: mfaToken)
.start { result in ... }
// v3
Auth0.mfa()
.verify(recoveryCode: recoveryCode, mfaToken: mfaToken)
.start { result in ... }MFA挑战(请求发送OOB验证码):
swift
// v2
Auth0.authentication()
.multifactorChallenge(mfaToken: mfaToken,
types: ["oob"],
authenticatorId: authenticatorId)
.start { result in ... }
// v3 — 移除types参数;直接传入authenticatorId
Auth0.mfa()
.challenge(with: authenticatorId, mfaToken: mfaToken)
.start { result in ... }处理MFA所需错误以获取mfaToken(v2和v3中不变):
swift
Auth0.authentication()
.login(usernameOrEmail: email,
password: password,
realmOrConnection: "Username-Password-Authentication",
audience: audience,
scope: scope)
.start { result in
switch result {
case .success(let credentials):
storeCredentials(credentials)
case .failure(let error) where error.isMultifactorRequired:
// mfaToken在v2和v3中的提取方式相同
if let mfaToken = error.mfaRequiredErrorPayload?.mfaToken {
presentMFAChallenge(mfaToken: mfaToken)
}
case .failure(let error):
showError(error)
}
}错误类型变更: →
AuthenticationErrorMFAVerifyErrorMFAClientany TokenRequestable<Credentials, MFAVerifyError>AuthenticationErrorMFAVerifyErrorswift
// v2 — MFA失败以AuthenticationError形式返回
Auth0.authentication()
.login(withOTP: otp, mfaToken: mfaToken)
.start { result in
switch result {
case .success(let credentials): storeCredentials(credentials)
case .failure(let error as AuthenticationError):
if error.isMultifactorCodeInvalid {
showError("验证码无效,请重试。")
} else {
showError(error.debugDescription)
}
}
}
// v3 — 失败以MFAVerifyError形式返回;获取MFAErrors.swift查看所有枚举值
Auth0.mfa()
.verify(otp: otp, mfaToken: mfaToken)
.start { result in
switch result {
case .success(let credentials): storeCredentials(credentials)
case .failure(let error):
// 查看目标SDK版本中Auth0/MFA/MFAErrors.swift里的MFAVerifyError枚举值
// 获取可用的精确枚举值名称
showError(error.debugDescription)
}
}从目标标签(步骤3)获取并读取Auth0/MFA/MFAErrors.swift枚举值,以映射项目当前处理的特定错误。不要猜测错误枚举值名称——从源码中读取。MFAVerifyError
MFAClient如果项目的测试目标存在符合协议的mock,需更新方法返回类型并在中添加(与§6.4中 mock的模式相同):
MFAClientstart(_:)@MainActorAuthenticationswift
// v3 — 测试中的mock MFAClient
struct MockMFAClient: MFAClient {
var verifyResult: Result<Credentials, MFAVerifyError>
func verify(otp: String,
mfaToken: String) -> any TokenRequestable<Credentials, MFAVerifyError> {
return MockTokenRequest(result: verifyResult)
}
func verify(oobCode: String,
bindingCode: String?,
mfaToken: String) -> any TokenRequestable<Credentials, MFAVerifyError> {
return MockTokenRequest(result: verifyResult)
}
func verify(recoveryCode: String,
mfaToken: String) -> any TokenRequestable<Credentials, MFAVerifyError> {
return MockTokenRequest(result: verifyResult)
}
func challenge(with authenticatorId: String,
mfaToken: String) -> any Requestable<MFAChallenge, MfaChallengeError> {
// 从目标标签获取MFAClient.swift以找到MFAChallenge的初始化方法,
// 然后构造真实的测试数据或返回.failure(如果测试不涉及该路径)
return MockRequest(result: .failure(/* MFAErrors.swift中的MfaChallengeError枚举值 */))
}
// 使用相同模式实现剩余的MFAClient要求
}使用§6.4中的和MockTokenRequest结构体。MockRequest协议还要求实现MFAClient、getAuthenticators、enroll(mfaToken:phoneNumber:)和enroll(mfaToken:)——使用相同方式stub这些方法,返回类型参考enroll(mfaToken:email:)。MFAClient.swift
在步骤9的总结中列出所有迁移的MFA流程,并要求用户端到端重新测试每个MFA流程(OTP、OOB、恢复码、挑战请求)以匹配租户配置。
6.10 — Credentials.expiresIn
→ Credentials.expiresAt
Credentials.expiresInCredentials.expiresAt6.14 — 默认scope现在包含offline_access
offline_accessApplies if: Step 4 found any access to on a , , or object.
.expiresInCredentialsAPICredentialsSSOCredentialsThe property on , , and was renamed to . The underlying JSON key is unchanged; only the Swift property name changed.
expiresIn: DateCredentialsAPICredentialsSSOCredentialsexpiresAt: Dateswift
// v2
let expiry: Date = credentials.expiresIn
// v3
let expiry: Date = credentials.expiresAt适用场景: 步骤4找到任何对、或的调用——但仅适用于未链式调用的调用链。读取文件中的实际调用点以确认是否存在;不要仅通过grep查找——调用链可能跨多行。
webAuth()webAuth(domain:)webAuth(domain:clientId:).scope(…).scope(在v3版本中,默认scope从变更为。依赖默认配置且不需要刷新令牌的应用应添加显式的调用:
"openid profile email""openid profile email offline_access".scope()swift
// v2 — 默认scope: "openid profile email"(无刷新令牌)
Auth0.webAuth()
.audience("https://api.example.com")
.start { result in ... }
// v3 — 默认scope包含offline_access(会返回刷新令牌)
// 如果要保持v2的行为(无刷新令牌),需显式添加.scope():
Auth0.webAuth()
.audience("https://api.example.com")
.scope("openid profile email") // 显式设置——不包含offline_access
.start { result in ... }
// 如果欢迎使用刷新令牌(推荐——支持静默续期):
// 无需修改;新的默认配置是有意设计的。无论选择哪种路径,都要在步骤9的总结中说明这是一个行为变更——如果要颁发刷新令牌,Auth0租户必须允许该应用的离线访问。
6.11 — CredentialsStorage
custom implementation — methods now throw
CredentialsStorage6.15 — CredentialsManager.credentials()
— 默认minTTL
从0秒改为60秒
CredentialsManager.credentials()minTTLApplies if: Step 4 found a type conforming to in the project's source files. Skip if the project only passes a instance — the default storage needs no change.
CredentialsStorageSimpleKeychainOnly applies if the project provides a custom implementation (i.e., a type conforming to the protocol — not just using the default ). Skip if the project only passes a instance.
CredentialsStorageSimpleKeychainSimpleKeychainThe protocol changed from Bool/Data? returns to throwing methods, and added a new required .
deleteAllEntries()swift
// v2 — protocol conformance
final class AppKeychain: CredentialsStorage {
func getEntry(forKey key: String) -> Data? {
return Keychain.shared.read(key: key)
}
func setEntry(_ data: Data, forKey key: String) -> Bool {
return Keychain.shared.write(data, forKey: key)
}
func deleteEntry(forKey key: String) -> Bool {
return Keychain.shared.delete(key: key)
}
}
// v3 — methods throw; deleteAllEntries() required
final class AppKeychain: CredentialsStorage {
func getEntry(forKey key: String) throws -> Data {
guard let data = Keychain.shared.read(key: key) else {
throw CredentialsManagerError.noCredentials
}
return data
}
func setEntry(_ data: Data, forKey key: String) throws {
guard Keychain.shared.write(data, forKey: key) else {
throw CredentialsManagerError.storeFailed
}
}
func deleteEntry(forKey key: String) throws {
guard Keychain.shared.delete(key: key) else {
throw CredentialsManagerError.revokeFailed
}
}
func deleteAllEntries() throws {
Keychain.shared.deleteAll()
}
}Theprotocol declares its methods asCredentialsStoragewith no specific error type — you can throw anythrows. The example above usesErrorcases for illustration only; your implementation should throw an error type that makes sense for your storage backend. Verify theCredentialsManagerErrorcase names in the SDK source fetched in Step 3 if you choose to reuse them.CredentialsManagerError
适用场景: 步骤4找到任何未显式指定参数的调用。
minTTL:credentialsManager.credentials(在v3版本中,的默认从改为。这意味着凭据管理器现在会在令牌实际过期前60秒就认为令牌已过期——并触发静默刷新,而不是仅在令牌已过期时才刷新。
CredentialsManager.credentials(withScope:minTTL:parameters:headers:callback:)minTTL060这是一个静默行为变更:应用无需修改即可编译,但令牌续期的时机比之前更早。
swift
// v2 — credentials()仅在令牌实际过期时触发续期(minTTL默认值:0)
credentialsManager.credentials { result in
switch result {
case .success(let credentials): use(credentials)
case .failure(let error): handleError(error)
}
}
// v3 — credentials()在令牌过期前60秒触发续期(minTTL默认值:60)
// 如果该行为可接受(大多数应用推荐),无需修改代码。
// 要显式恢复v2的行为:
credentialsManager.credentials(minTTL: 0) { result in
switch result {
case .success(let credentials): use(credentials)
case .failure(let error): handleError(error)
}
}对于大多数应用,新的默认配置更优——在令牌过期前稍早续期可避免飞行中请求使用中途过期的访问令牌的情况。仅当应用有特定理由需要在精确过期时间续期时,才显式设置。
minTTL: 0在步骤9的总结中说明这是一个行为注意事项。
6.12 — Management client removed
步骤7 — 更新依赖并构建
Applies if: Step 4 found any call to or in the project's source files.
Auth0.users(Auth0.users(token:Auth0.users(token:)UsersTODOswift
// v2 — direct Management API call in the app
Auth0
.users(token: managementToken)
.patch(userId, userPatch: UserPatchAttributes(name: newName))
.start { result in
switch result {
case .success: print("Updated")
case .failure(let error): print(error)
}
}
// v3 — Management client removed; add TODO and preserve intent
// TODO: Auth0.swift v3 removed the Management client.
// Replace this with a call to your own backend endpoint, which
// calls the Auth0 Management API using a machine-to-machine token.
// NEVER embed a Management API token in the client app.
// See: https://auth0.com/docs/secure/tokens/access-tokens/management-api-access-tokensThis requires backend work — record it in the Step 9 summary.
bash
undefined6.13 — MFA methods removed from Authentication
→ migrate to MFAClient
AuthenticationMFAClient尝试构建——预期会有剩余调用点的错误
Applies if: Step 4 found any call to , , , or — or test mocks conforming to — in the project's source files.
login(withOTP:login(withOOBCode:login(withRecoveryCode:multifactorChallenge(MFAClientThe four MFA methods on the protocol were removed in v3. They are replaced by the dedicated protocol, accessible via :
AuthenticationMFAClientAuth0.mfa()v2 ( | v3 ( |
|---|---|
| |
| |
| |
| |
The itself still comes from the same place — an where returns the token via .
mfaTokenAuthenticationErrorerror.isMultifactorRequired == trueerror.mfaRequiredErrorPayload?.mfaTokenOTP (TOTP authenticator app):
swift
// v2
Auth0.authentication()
.login(withOTP: otpCode, mfaToken: mfaToken)
.start { result in
switch result {
case .success(let credentials): storeCredentials(credentials)
case .failure(let error): showError(error)
}
}
// v3 — verify returns any TokenRequestable<Credentials, MFAVerifyError>
Auth0.mfa()
.verify(otp: otpCode, mfaToken: mfaToken)
.start { result in
switch result {
case .success(let credentials): storeCredentials(credentials)
case .failure(let error): showError(error)
}
}
// async/await
let credentials = try await Auth0.mfa().verify(otp: otpCode, mfaToken: mfaToken).start()OOB (SMS / email code):
swift
// v2
Auth0.authentication()
.login(withOOBCode: oobCode, mfaToken: mfaToken, bindingCode: bindingCode)
.start { result in ... }
// v3 — parameter order changed: oobCode first, bindingCode second
Auth0.mfa()
.verify(oobCode: oobCode, bindingCode: bindingCode, mfaToken: mfaToken)
.start { result in ... }Recovery code:
swift
// v2
Auth0.authentication()
.login(withRecoveryCode: recoveryCode, mfaToken: mfaToken)
.start { result in ... }
// v3
Auth0.mfa()
.verify(recoveryCode: recoveryCode, mfaToken: mfaToken)
.start { result in ... }MFA challenge (request an OOB code to be sent):
swift
// v2
Auth0.authentication()
.multifactorChallenge(mfaToken: mfaToken,
types: ["oob"],
authenticatorId: authenticatorId)
.start { result in ... }
// v3 — types parameter removed; pass authenticatorId directly
Auth0.mfa()
.challenge(with: authenticatorId, mfaToken: mfaToken)
.start { result in ... }Handling the MFA required error to obtain the mfaToken (unchanged between v2 and v3):
swift
Auth0.authentication()
.login(usernameOrEmail: email,
password: password,
realmOrConnection: "Username-Password-Authentication",
audience: audience,
scope: scope)
.start { result in
switch result {
case .success(let credentials):
storeCredentials(credentials)
case .failure(let error) where error.isMultifactorRequired:
// mfaToken extracted the same way in both v2 and v3
if let mfaToken = error.mfaRequiredErrorPayload?.mfaToken {
presentMFAChallenge(mfaToken: mfaToken)
}
case .failure(let error):
showError(error)
}
}Error type changed: →
AuthenticationErrorMFAVerifyErrorThe verify methods on return . If the project previously matched specific cases in MFA failure handlers, map them onto :
MFAClientany TokenRequestable<Credentials, MFAVerifyError>AuthenticationErrorMFAVerifyErrorswift
// v2 — MFA failures came as AuthenticationError
Auth0.authentication()
.login(withOTP: otp, mfaToken: mfaToken)
.start { result in
switch result {
case .success(let credentials): storeCredentials(credentials)
case .failure(let error as AuthenticationError):
if error.isMultifactorCodeInvalid {
showError("Invalid code. Please try again.")
} else {
showError(error.debugDescription)
}
}
}
// v3 — failures come as MFAVerifyError; fetch MFAErrors.swift for all cases
Auth0.mfa()
.verify(otp: otp, mfaToken: mfaToken)
.start { result in
switch result {
case .success(let credentials): storeCredentials(credentials)
case .failure(let error):
// Check the MFAVerifyError cases in Auth0/MFA/MFAErrors.swift
// for the exact case names available in the target SDK version
showError(error.debugDescription)
}
}Fetchfrom the target tag (Step 3) and read theAuth0/MFA/MFAErrors.swiftcases to map any specific error handling the project currently does. Do not guess error case names — read them from the source.MFAVerifyError
Test mocks for :
MFAClientIf the project's test target has a mock conforming to , update method return types and add to (same pattern as §6.4 for mocks):
MFAClient@MainActorstart(_:)Authenticationswift
// v3 — mock MFAClient in tests
struct MockMFAClient: MFAClient {
var verifyResult: Result<Credentials, MFAVerifyError>
func verify(otp: String,
mfaToken: String) -> any TokenRequestable<Credentials, MFAVerifyError> {
return MockTokenRequest(result: verifyResult)
}
func verify(oobCode: String,
bindingCode: String?,
mfaToken: String) -> any TokenRequestable<Credentials, MFAVerifyError> {
return MockTokenRequest(result: verifyResult)
}
func verify(recoveryCode: String,
mfaToken: String) -> any TokenRequestable<Credentials, MFAVerifyError> {
return MockTokenRequest(result: verifyResult)
}
func challenge(with authenticatorId: String,
mfaToken: String) -> any Requestable<MFAChallenge, MfaChallengeError> {
// Fetch MFAClient.swift from the target tag to find MFAChallenge's initializer,
// then construct a real fixture or return .failure for tests that don't exercise this path
return MockRequest(result: .failure(/* MfaChallengeError case from MFAErrors.swift */))
}
// implement remaining MFAClient requirements using the same pattern
}Use theandMockTokenRequeststructs from §6.4. TheMockRequestprotocol also requiresMFAClient,getAuthenticators,enroll(mfaToken:phoneNumber:), andenroll(mfaToken:)— stub them the same way, using the return types fromenroll(mfaToken:email:).MFAClient.swift
List all migrated MFA flows in the Step 9 summary and ask the user to re-test every MFA flow end-to-end (OTP, OOB, recovery code, challenge request) against their tenant configuration.
xcodebuild build
-scheme <SCHEME>
-destination "platform=iOS Simulator,name=${SIM}"
2>&1
-scheme <SCHEME>
-destination "platform=iOS Simulator,name=${SIM}"
2>&1
针对每个错误:
1. 读取错误信息并定位源码行
2. 将其匹配到步骤6中的某个API变更
3. 验证修复内容与步骤3获取的实际SDK签名一致
4. 按照项目现有风格应用修复
5. 重新构建
**常见错误→原因映射:**
| Xcode错误 | 可能原因 |
|---|---|
| `has no member 'clearSession'` | §6.1 — 重命名为`logout` |
| `error enum element 'pkceNotAllowed' not found in type`或`'invalidInvitationURL' not found` | §6.2 — 从switch中删除已移除的`WebAuthError`枚举值 |
| `cannot convert return expression of type 'Request<...>'`在mock中 | §6.4 — 更新mock返回类型为`any TokenRequestable<T,E>`或`any Requestable<T,E>` |
| `does not conform to protocol 'Requestable'`(`start`缺少`@MainActor`) | §6.4 — 在mock的`start(_:)`回调中添加`@MainActor` |
| `has no member 'user'` on CredentialsManager | §6.7 — 改为`userProfile()` |
| `cannot find type 'UserInfo'` | §6.9 — 重命名为`UserProfile` |
| `has no member 'expiresIn'` | §6.10 — 重命名为`expiresAt` |
| `cannot convert value of type 'Bool'` on store/clear | §6.5/§6.6 — 添加do-catch或try? |
| `does not conform to protocol 'CredentialsStorage'` | §6.11 — 更新协议方法 + 添加deleteAllEntries |
| `call can throw, but is not marked with 'try'` | 包裹在do-catch中或添加try? |
| `sending '...' risks causing data races` | 仅当项目使用Swift 6语言模式或`SWIFT_STRICT_CONCURRENCY=complete`时出现;在现有actor模型内解决——不属于迁移错误 |
**限制:** 最多进行**10次构建-修复循环**。如果10次尝试后构建仍失败,停止操作并向用户显示剩余错误及上下文——不要猜测。
---6.14 — Default scope now includes offline_access
offline_access步骤8 — 运行测试并验证
Applies if: Step 4 found any call to , , or — but only for call chains that do not already have a modifier. Read the actual call site in the file to confirm whether is present; do not grep — the call chain may span multiple lines.
webAuth()webAuth(domain:)webAuth(domain:clientId:).scope(…).scope(In v3, the default scope changed from to . Apps that relied on the default and do not want a refresh token should add an explicit call:
"openid profile email""openid profile email offline_access".scope()swift
// v2 — default scope: "openid profile email" (no refresh token)
Auth0.webAuth()
.audience("https://api.example.com")
.start { result in ... }
// v3 — default scope includes offline_access (refresh token returned)
// If you want to keep the v2 behaviour (no refresh token), add .scope() explicitly:
Auth0.webAuth()
.audience("https://api.example.com")
.scope("openid profile email") // explicit — no offline_access
.start { result in ... }
// If refresh tokens are welcome (recommended — enables silent renewal):
// No change needed; the new default is intentional.Surface this as a behavioural change in the Step 9 summary regardless of which path is chosen — the Auth0 tenant must permit offline access for this app if refresh tokens are to be issued.
bash
undefined6.15 — CredentialsManager.credentials()
— default minTTL
changed from 0 to 60 seconds
CredentialsManager.credentials()minTTL如果存在测试套件则运行(复用步骤1中的$SIM)
Applies if: Step 4 found any call to without an explicit parameter.
credentialsManager.credentials(minTTL:In v3, defaults to instead of . This means the credentials manager will now consider tokens expired — and trigger a silent refresh — 60 seconds before their actual expiry, rather than only when they are already expired.
CredentialsManager.credentials(withScope:minTTL:parameters:headers:callback:)minTTL600This is a silent behavioural change: the app still compiles without changes, but token renewal now happens earlier than before.
swift
// v2 — credentials() triggers renewal only when token is actually expired (minTTL default: 0)
credentialsManager.credentials { result in
switch result {
case .success(let credentials): use(credentials)
case .failure(let error): handleError(error)
}
}
// v3 — credentials() triggers renewal 60 seconds before expiry (minTTL default: 60)
// No code change needed if this behaviour is acceptable (recommended for most apps).
// To restore the v2 behaviour explicitly:
credentialsManager.credentials(minTTL: 0) { result in
switch result {
case .success(let credentials): use(credentials)
case .failure(let error): handleError(error)
}
}For most apps the new default is preferable — renewing tokens slightly before expiry avoids races where an in-flight request uses an access token that expires mid-request. Only set explicitly if the app has a specific reason to renew only at exact expiry.
minTTL: 0Surface this as a behavioural note in the Step 9 summary.
xcodebuild test
-scheme <SCHEME>
-destination "platform=iOS Simulator,name=${SIM}"
2>&1 | tail -30
-scheme <SCHEME>
-destination "platform=iOS Simulator,name=${SIM}"
2>&1 | tail -30
由相同API变更导致的测试失败(错误的类型名称、缺失的方法)应使用与步骤7相同的规则修复。需要超出API更新的逻辑变更的测试失败应标记给用户。
```bashStep 7 — Update the Dependency & Build
总结变更差异
bash
undefinedgit diff --stat
---Attempt a build — expect errors for any remaining call sites
步骤9 — 迁移总结
xcodebuild build
-scheme <SCHEME>
-destination "platform=iOS Simulator,name=${SIM}"
2>&1
-scheme <SCHEME>
-destination "platform=iOS Simulator,name=${SIM}"
2>&1
For each error:
1. Read the error and locate the source line
2. Match it to one of the API changes in Step 6
3. Verify the fix matches the actual SDK signature fetched in Step 3
4. Apply the fix in keeping with the project's existing style
5. Rebuild
**Common error → cause mapping:**
| Xcode error | Likely cause |
|---|---|
| `has no member 'clearSession'` | §6.1 — rename to `logout` |
| `error enum element 'pkceNotAllowed' not found in type` or `'invalidInvitationURL' not found` | §6.2 — remove deleted `WebAuthError` cases from switch |
| `cannot convert return expression of type 'Request<...>'` in mock | §6.4 — update mock return type to `any TokenRequestable<T,E>` or `any Requestable<T,E>` |
| `does not conform to protocol 'Requestable'` (missing `@MainActor` on `start`) | §6.4 — add `@MainActor` to `start(_:)` callback in mock |
| `has no member 'user'` on CredentialsManager | §6.7 — change to `userProfile()` |
| `cannot find type 'UserInfo'` | §6.9 — rename to `UserProfile` |
| `has no member 'expiresIn'` | §6.10 — rename to `expiresAt` |
| `cannot convert value of type 'Bool'` on store/clear | §6.5/§6.6 — add do-catch or try? |
| `does not conform to protocol 'CredentialsStorage'` | §6.11 — update protocol methods + add deleteAllEntries |
| `call can throw, but is not marked with 'try'` | wrap in do-catch or add try? |
| `sending '...' risks causing data races` | only appears when the project uses Swift 6 language mode or `SWIFT_STRICT_CONCURRENCY=complete`; resolve within the existing actor model — not a migration error |
**Limit:** Up to **10 build-fix cycles**. If the build still fails after 10 attempts, stop and show the remaining errors to the user with context — do not guess.
---呈现简洁的总结,涵盖以下内容:
1. 已应用的变更(按API领域分组;列出每个领域修改的文件)
2. 需要手动检查的内容
- 所有错误处理变更——确认新错误类型已正确路由
- 所有使用忽略错误的场景(项目之前忽略Bool返回值)——询问是否需要显式错误处理
try? - 默认scope变更——确认租户已配置允许离线访问,或确认显式scope调用正确
offline_access
3. 后端/配置后续工作(仅在触发时列出)
- WebAuthError枚举值变更(§6.2): 列出从switch语句中删除的已移除枚举值和添加的新枚举值。注意和
.authenticationFailed可能需要修改面向用户的文案。.codeExchangeFailed - mocks中→
Request(§6.4): 列出更新的测试mock文件。注意任何使用Requestablestub的return self构建器方法——确认这对涉及的测试是正确的。TokenRequestable - 新增错误路径(§6.8): 列出项目调用的CredentialsManager异步方法,并说明现在可能出现的新错误:
- —
revoke()(无凭据可撤销)、.noCredentials(服务端撤销失败)、.revokeFailed(令牌已撤销但Keychain删除失败).clearFailed - /
credentials()/renew()/apiCredentials()—ssoCredentials()(Keychain项未找到)、.noCredentials(刷新令牌续期失败)、.renewFailed(续期后的凭据无法保存).storeFailed - 确认每个场景的失败处理是否正确导航或暴露错误。
- 移除Management客户端(§6.12): 列出使用stub的具体操作。说明用户必须在安全后端实现的内容。
TODO - 移除MFA方法(§6.13): 列出需要更新到的MFA流程。要求用户端到端重新测试MFA。
MFAClient - 默认scope变更(§6.14): 说明是否已显式添加或接受了新的
.scope()默认配置。确认租户已配置允许离线访问。offline_access - 默认minTTL变更(§6.15): 说明现在会在令牌过期前60秒续期,而非精确过期时间。确认该行为可接受或已显式设置
credentialsManager.credentials()。minTTL: 0
4. 未应用的可选改进(简要列出;绝不自动应用)
- 上的新
CredentialsManager方法——一键清除所有凭据clearAll() - 新的API——如果项目使用MFA且旧方法已移除
MFAClient - DPoP(Demonstrating Proof of Possession)支持——如果API要求发送方约束令牌
- Passkey登录/注册API(iOS 16.6+、macOS 13.5+)
- ——如果需要SSO凭据交换
ssoCredentials()
5. 询问用户 是否要提交迁移变更、探索任何可选改进,或一起查看特定文件。
安全提醒: 不要在总结输出中包含令牌、密钥、客户端凭据或Keychain值。
Step 8 — Run Tests & Verify
详细参考
bash
undefined- 迁移流程 — 跨版本跳转、回滚、CocoaPods/Carthage边缘情况、Swift版本兼容性
- 安全检查清单 — 迁移前后必须保持的安全准则
Run the test suite if one exists (reuse $SIM from Step 1)
常见错误
xcodebuild test
-scheme <SCHEME>
-destination "platform=iOS Simulator,name=${SIM}"
2>&1 | tail -30
-scheme <SCHEME>
-destination "platform=iOS Simulator,name=${SIM}"
2>&1 | tail -30
Test failures caused by the same API changes (wrong type name, missing method) should be fixed using the same rules as Step 7. Test failures that require logic changes beyond API updates should be flagged for the user.
```bash| 错误做法 | 正确做法 |
|---|---|
| 步骤4未在项目中找到对应API仍应用§6.x部分 | 步骤4的文件读取是唯一依据。未找到则完全跳过该部分 |
| 仅使用grep判断API是否被使用 | Grep会遗漏多行调用链、带有 |
项目未使用 | 仅迁移项目实际调用的内容 |
移除非Auth0代码周围的 | 仅移除Auth0回调体内的调度包装器 |
| 静默删除Management API调用点 | 添加 |
| 静默删除旧MFA调用点 | 同上——添加 |
| 基于假设知识而非获取的SDK源码应用变更 | 每个修复必须追溯到步骤3获取的文件中的签名 |
当开发者选择beta标签时使用 | 稳定范围指定符无法解析beta版本;预发布版本使用 |
| 在脏工作区启动迁移 | 始终先验证 |
| 未应用已知变更直接构建 | 先应用所有已知变更,再构建以捕获剩余错误 |
| 超过10次构建失败循环仍继续 | 停止操作并向用户显示剩余错误 |
| 跳过迁移总结 | 始终生成完整总结——用户需要这些信息 |
Summarise the diff
相关技能
git diff --stat
---- auth0-swift — 从零开始全新集成Auth0.swift
- auth0-android — Android原生认证
Step 9 — Migration Summary
参考链接
Present a concise summary covering:
1. Changes applied (grouped by API area; list files touched per area)
2. Needs manual review
- Every error-handling change — confirm the new error types are routed correctly
- Every used to discard errors where the project previously discarded a
try?— ask if explicit error handling is wantedBool - The default scope change — confirm the tenant is configured to allow it, or confirm the explicit scope call is correct
offline_access
3. Backend / configuration follow-up (only if triggered)
- WebAuthError cases changed (§6.2): List which removed cases were deleted from switch statements and which new cases were added. Note that and
.authenticationFailedmay benefit from user-facing copy changes..codeExchangeFailed - →
Requestin mocks (§6.4): List which test mock files were updated. Note anyRequestablebuilder methods that were stubbed withTokenRequestable— confirm this is correct for the tests involved.return self - New error paths (§6.8): List which CredentialsManager async methods the project calls and note the new errors that can now surface:
- —
revoke()(nothing to revoke),.noCredentials(server revocation failed),.revokeFailed(token revoked but Keychain delete failed).clearFailed - /
credentials()/renew()/apiCredentials()—ssoCredentials()(Keychain item not found),.noCredentials(refresh token renewal failed),.renewFailed(renewed credentials could not be saved).storeFailed - Confirm the failure handling for each case navigates or surfaces errors correctly.
- Management client removed (§6.12): List the specific operations that were stubbed with . Describe what the user must implement on a secure backend.
TODO - MFA methods removed (§6.13): List which MFA flows need updating to . Ask the user to re-test MFA end-to-end.
MFAClient - Default scope change (§6.14): Note whether was added explicitly or the new
.scope()default was accepted. Confirm the tenant is configured to allow offline access.offline_access - Default minTTL change (§6.15): Note that now renews tokens 60 seconds before expiry instead of at exact expiry. Confirm this is acceptable or that
credentialsManager.credentials()was set explicitly.minTTL: 0
4. Optional improvements not applied (list briefly; never auto-apply)
- New method on
clearAll()— clears all credentials in one callCredentialsManager - New API — if the project uses MFA and the old methods were already removed
MFAClient - DPoP (Demonstrating Proof of Possession) support — if the API requires sender-constrained tokens
- Passkey login/signup APIs (iOS 16.6+, macOS 13.5+)
- — if SSO credential exchange is needed
ssoCredentials()
5. Ask the user if they'd like to commit the migration changes, explore any optional improvement, or step through specific files together.
Security reminder: Never include tokens, secrets, client credentials, or Keychain values in the summary output.
安全提示: 不要在构建日志或终端输出中回显令牌、客户端密钥或凭据。不要将密钥提交到版本控制系统。
Detailed References
—
- Migration Process — Multi-version jumps, rollback, CocoaPods/Carthage edge cases, Swift version compatibility
- Security Checklist — Invariants that must hold before and after migration
—
Common Mistakes
—
| Mistake | Correct approach |
|---|---|
| Applying a §6.x section when Step 4 didn't find that API in the project | Step 4 file-reading is the gate. Not found = skip the section entirely |
| Using grep alone to decide if an API is used | Grep misses multi-line call chains, calls with |
Touching | Only migrate what the project actually calls |
Removing | Only remove dispatch wrappers that are solely inside an Auth0 callback body |
| Silently deleting Management API call sites | Add |
| Silently deleting old MFA call sites | Same as above — add |
| Applying changes based on assumed knowledge, not the fetched SDK source | Every fix must trace to a signature in the files fetched in Step 3 |
Pinning | Stable range specifiers won't resolve betas; use |
| Starting migration on a dirty working tree | Always verify |
| Skipping straight to build without applying known changes first | Apply all known changes first, then build to catch remainders |
| Continuing past 10 failed build cycles | Stop and show the user the remaining errors |
| Skipping the migration summary | Always produce the full summary — the user needs it |
—
Related Skills
—
- auth0-swift — New Auth0.swift integration from scratch
- auth0-android — Android native authentication
—
References
—
Security: Never echo tokens, client secrets, or credentials in build logs or terminal output. Never commit secrets to version control.
—