[flutter_appauth_web] add web support via the AppAuth-JS SDK#663
Open
eirikb wants to merge 1 commit into
Open
Conversation
New endorsed federated package implementing the OAuth 2.0 authorization code flow with PKCE on the web by wrapping the official @openid/appauth SDK, as discussed in MaikuB#70. The SDK is vendored as a reproducibly-built browser bundle (pinned version with build source under js/) and injected at runtime, so apps need no web/index.html changes. Also endorses it as the web implementation via default_package, registers the package in the Melos workspace, adds web support to the example app, and documents web usage in the README.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi @MaikuB
Another go at web support, this time wrapping the official AppAuth-JS (
@openid/appauth) like you suggested in #70. The previous attempt (#620) was the hand-rolled one you rightly closed.What it is
A separate, endorsed federated package,
flutter_appauth_web, so it gets pulled in automatically on web and you can endorse it viadefault_package(the url_launcher way). It does the authorization code + PKCE flow by delegating to AppAuth-JS, no custom OAuth logic of my own.The AppAuth-JS bundle is vendored (committed) and built reproducibly from
js/(pinned@openid/appauth@1.3.2, lockfile, onejs/build.sh), with an Apache-2.0 NOTICE. It's injected at runtime, so app devs don't have to touch theirweb/index.html.There were a couple of AppAuth-JS quirks I had to wrap around (the redirect handler reads the URL fragment but the code flow returns the response in the query string, and it throws away token error bodies). Those are documented inline right where they happen.
Honesty bit
I should be upfront: a lot of this was written with AI (Opus 4.8). Buuut I didn't just trust it blindly. I verified it end to end, real authorization-code-with-PKCE round-trips in a headless browser against the live Duende demo IdP and against our own provider (Azure AD B2C federated), token endpoint returning 200 and the URL cleaned up afterwards. And I ran the whole thing through several postmortem/review passes with a few different models, which caught a fair number of bugs across the iterations before I was happy. So AI-written, but human-checked and actually tested, not vibes.
There's also a small
test/covering the pure URL logic, and it passesflutter analyzeunder strict mode.One open thing
There's a bit of repetition in
authorize/authorizeAndExchangeCodewhen resolving the config. I could dedupe it cleanly ifflutter_appauth_platform_interfaceexportedAcceptedAuthorizationServiceConfigurationDetails, right now reaching into itssrc/would tripimplementation_imports. I didn't want to reshape your core types in this PR, but happy to follow up if you'd like that.Only the redirect flow is supported (no popup), same scope as #620. Let me know what you think 🙂