When implementing SiwA on the client, you have the option of passing a nonce to a ASAuthorizationOpenIDRequest (docs).
Here's a snippet of the relevant code that could be part of a SiwA implementation:
let appleIDProvider = ASAuthorizationAppleIDProvider()
let request = appleIDProvider.createRequest()
request.requestedScopes = [.fullName, .email]
request.nonce = /* What should this look like? */
let authorizationController =
ASAuthorizationController(authorizationRequests: [request])
My core question is: are there any restrictions on its length and allowed characters?
A similar conversation has been had on this SO post, but I'd like to know if there are any nonce generation implications from a SiwA perspective, as opposed to another auth service provider.
The SecRandomCopyBytes docs include the following snippet:
var bytes = [Int8](repeating: 0, count: 10)
let status =
SecRandomCopyBytes(kSecRandomDefault, bytes.count, &bytes)
if status == errSecSuccess { // Always test the status.
print(bytes)
// Prints something different every time you run.
}
Could the result here be used as a SiwA nonce? Should I instead use the random bytes to index into an alphanumeric array of characters so my nonce contains alphanumerics rather than just numbers?
CryptoKit also includes the following API that looks relevant:
let nonce = ChaChaPoly.Nonce()
The docs say this is a 12-byte nonce– can I throw that in a string and use it?
I'd appreciate any clarification on generating nonces for the ASAuthorizationOpenIDRequest API? Thanks!
