Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Oauth2 flow in Flutter app

In the Flutter app I'm currently building, I need to authenticate users against a custom (so non-Google/Facebook/Twitter/etc) authorization server.

In order to achieve this, the users should fill in their credentials in a webpage. To this purpose, the WebView-plugin can be used. However, when the page is redirected after the user authenticated, the WebView should be closed, and the code passed on to the (Flutter) function that initially called the WebView.

Having done some research already, I came accross the following options:

  • This blog post uses a local server, which still requires the user to manually close the window, which is not a real solution (in my opinion).
  • This issue marks integration with any OAuth provider as done, but does not provide any details on the user authentication inside the browser.
  • This issue is exactly like I am describing, but at the bottom it is mentioned that the WebView plugin provides a way to close the WebView. While it does indeed have a close()-function, I cannot find a way to trigger it on the redirect-URI and return the verification code.

Does a solution exist, that closes the browser automatically once the redirect-URI is opened (and also returns the verification code)?

Thanks in advance!

like image 767
Rick de Vries Avatar asked Sep 13 '17 11:09

Rick de Vries


People also ask

What is oauth2 flow?

The OAuth 2.0 Authorization Framework powers various authorization flows and grants. Flows are means of obtaining Access Tokens. Selecting the right flow for your use case depends on your app type, but you should also consider other parameters like the client's level of trust and the user experience.

Which oauth2 flow should I use?

For most cases, we recommend using the Authorization Code Flow with PKCE because the Access Token is not exposed on the client side, and this flow can return Refresh Tokens. To learn more about how this flow works and how to implement it, see Authorization Code Flow with Proof Key for Code Exchange (PKCE).


1 Answers

I haven't tried this, but my idea is to use FlutterWebviewPlugin to send the user to a URL like https://www.facebook.com/v2.8/dialog/oauth?client_id={app-id}&redirect_uri=fbAPP_ID://authorize. Then add native handlers for application:openURL:options: (on iOS) and onNewIntent (Android) and modify AndroidManifest.xml and Info.plist to register the app to receive URLs from the fbAPP_ID scheme. You can use the platform channels to pass the deep link parameters back to Dart-land and call close() on the webview on the Dart side.

like image 54
Collin Jackson Avatar answered Oct 13 '22 13:10

Collin Jackson