Skip to content

[flutter_appauth_web] add web support via the AppAuth-JS SDK#663

Open
eirikb wants to merge 1 commit into
MaikuB:masterfrom
eirikb:feature/eirikb/web-support-appauth-js
Open

[flutter_appauth_web] add web support via the AppAuth-JS SDK#663
eirikb wants to merge 1 commit into
MaikuB:masterfrom
eirikb:feature/eirikb/web-support-appauth-js

Conversation

@eirikb

@eirikb eirikb commented Jun 24, 2026

Copy link
Copy Markdown

Hi @MaikuB

Another go at web support, this time wrapping the official AppAuth-JS (@openid/appauth) like you suggested in #70. The previous attempt (#620) was the hand-rolled one you rightly closed.

What it is

A separate, endorsed federated package, flutter_appauth_web, so it gets pulled in automatically on web and you can endorse it via default_package (the url_launcher way). It does the authorization code + PKCE flow by delegating to AppAuth-JS, no custom OAuth logic of my own.

The AppAuth-JS bundle is vendored (committed) and built reproducibly from js/ (pinned @openid/appauth@1.3.2, lockfile, one js/build.sh), with an Apache-2.0 NOTICE. It's injected at runtime, so app devs don't have to touch their web/index.html.

There were a couple of AppAuth-JS quirks I had to wrap around (the redirect handler reads the URL fragment but the code flow returns the response in the query string, and it throws away token error bodies). Those are documented inline right where they happen.

Honesty bit

I should be upfront: a lot of this was written with AI (Opus 4.8). Buuut I didn't just trust it blindly. I verified it end to end, real authorization-code-with-PKCE round-trips in a headless browser against the live Duende demo IdP and against our own provider (Azure AD B2C federated), token endpoint returning 200 and the URL cleaned up afterwards. And I ran the whole thing through several postmortem/review passes with a few different models, which caught a fair number of bugs across the iterations before I was happy. So AI-written, but human-checked and actually tested, not vibes.

There's also a small test/ covering the pure URL logic, and it passes flutter analyze under strict mode.

One open thing

There's a bit of repetition in authorize/authorizeAndExchangeCode when resolving the config. I could dedupe it cleanly if flutter_appauth_platform_interface exported AcceptedAuthorizationServiceConfigurationDetails, right now reaching into its src/ would trip implementation_imports. I didn't want to reshape your core types in this PR, but happy to follow up if you'd like that.

Only the redirect flow is supported (no popup), same scope as #620. Let me know what you think 🙂

New endorsed federated package implementing the OAuth 2.0 authorization
code flow with PKCE on the web by wrapping the official @openid/appauth
SDK, as discussed in MaikuB#70. The SDK is vendored as a reproducibly-built
browser bundle (pinned version with build source under js/) and injected
at runtime, so apps need no web/index.html changes.

Also endorses it as the web implementation via default_package, registers
the package in the Melos workspace, adds web support to the example app,
and documents web usage in the README.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant