oauth_flutter

Description:

oauth flutter

A complete OAuth2 solution for Flutter apps. Handles auth, token storage, and token refresh.
Features #

Handles dio client setup
Securely stores tokens
Automatically refreshes tokens when expired
Refresh token expiration handler
Nonce, PKCE, and state verification
OIDC support

Endpoint discovery
Access to the ID token and raw nonce
Works with Firebase OIDC implicit flow



Getting started #
The most relevant setup information for iOS/Android/web apps is copied below. See the individual plugin readmes for more details:

flutter_web_auth_2
flutter_secure_storage

iOS #
Set up Universal Links
Android #
Set up App Links
android/app/build.gradle
android {
defaultConfig {
minSdk = 23
}
}
copied to clipboard
In order to capture the callback url, the following activity needs to be added to your AndroidManifest.xml. Be sure to replace YOUR_CALLBACK_URL_SCHEME_HERE with your actual callback url scheme.
<manifest>
<application>

<activity
android:name="com.linusu.flutter_web_auth_2.CallbackActivity"
android:exported="true">
<intent-filter android:label="flutter_web_auth_2">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="YOUR_CALLBACK_URL_SCHEME_HERE" />
</intent-filter>
</activity>

</application>
</manifest>
copied to clipboard
Web #
Ensure that the web server serves the Flutter app with a Strict-Transport-Security header. Firebase Hosting sets this header by default. See the documentation. Here is an example header:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
copied to clipboard
An endpoint must be created that captures the callback URL and sends it to the application using the JavaScript postMessage method. In the web folder of the project, create an HTML file named, e.g. oauth2/callback with content:
<!DOCTYPE html>
<title>Authentication complete</title>
<p>
Authentication is complete. If this does not happen automatically, please
close the window.
</p>
<script>
function postAuthenticationMessage() {
const message = {
"flutter-web-auth-2": window.location.href,
};

if (window.opener) {
window.opener.postMessage(message, window.location.origin);
window.close();
} else if (window.parent && window.parent !== window) {
window.parent.postMessage(message, window.location.origin);
} else {
localStorage.setItem("flutter-web-auth-2", window.location.href);
window.close();
}
}

postAuthenticationMessage();
</script>
copied to clipboard
Usage #

import 'package:dio/dio.dart';
import 'package:flutter/foundation.dart';
import 'package:oauth_flutter/oauth_flutter.dart';

void main() async {
final client = OAuth2Client(
key: 'fitbit',
// The `baseUrl` is the OAuth `aud` parameter
dio: Dio(BaseOptions(baseUrl: 'https://api.fitbit.com/1/user')),
endpoints: OAuth2Endpoints(
authorization: 'https://fitbit.com/oauth2/authorize',
token: 'https://api.fitbit.com/oauth2/token',
revocation: 'https://api.fitbit.com/oauth2/revoke',
),
// Use `OAuth2Endpoints.base` for services with a consistent base URL
// endpoints: OAuth2Endpoints.base('https://api.fitbit.com/oauth2'),
redirectUri: Uri.parse('https://your-app.com/oauth2/callback'),
// Do not pass client credentials if they are injected by the server
credentials: const OAuth2ClientCredentials(
id: 'your-client-id',
secret: 'your-client-secret',
),
scope: {
'activity',
'heartrate',
'nutrition',
'oxygen_saturation',
'respiratory_rate',
'settings',
'sleep',
'temperature',
'weight',
},
);

final token = await client.authenticate();
debugPrint(token.idToken); // Fitbit doesn't actually support OIDC

final response =
await client.dio.get('/GGNJL9/activities/heart/date/today/1d.json');
debugPrint(response.data);

final isAuthenticated = await client.isAuthenticated();
debugPrint(isAuthenticated.toString());
}

copied to clipboard