Config class

Parameters according to official Microsoft Documentation:

DartDocs of parameters are mostly from those pages.


Config({required String tenant, String? policy, required String clientId, String responseType = 'code', String? redirectUri, required String scope, bool webUseRedirect = false, String? responseMode, String? state, String? prompt, String? codeChallenge, String? codeChallengeMethod, String nonce = '12345', String tokenIdentifier = 'Token', String? clientSecret, String? resource, bool isB2C = false, String? customAuthorizationUrl, String? customTokenUrl, String? customDomainUrlWithTenantId, String? loginHint, String? domainHint, String? codeVerifier, String? userAgent, bool isStub = false, Widget loader = const SizedBox(), AndroidOptions? aOptions, CacheLocation? cacheLocation, required GlobalKey<NavigatorState> navigatorKey, String? origin, Map<String, String> customParameters = const {}, String? postLogoutRedirectUri, PreferredSizeWidget? appBar, dynamic onPageFinished(String url)?})
Azure AD OAuth Configuration. Look at individual fields for description.


aOptions ↔ AndroidOptions
android storage options for shared preferences - defaults to encrypting shared prefs
getter/setter pair
appBar PreferredSizeWidget?
add an app bar to the login page
getter/setter pair
authorizationUrl String
Azure AD authorization URL.
cacheLocation CacheLocation
Cache location used when authenticating with a web client. "CacheLocation.localStorage" - Local browser storage (default) "CacheLocation.sessionStorage" - Session context "CacheLocation.memoryStorage" - Memory only
getter/setter pair
clientId String
The Application (client) ID that the Azure portal – App registrations experience assigned to your app.
clientSecret String?
The client secret that you generated for your app in the app registration portal.
codeChallenge String?
Used to secure authorization code grants via Proof Key for Code Exchange (PKCE). Required if codeChallengeMethod is included. For more information, see the PKCE RFC. This is now recommended for all application types - native apps, SPAs, and confidential clients like web apps.
codeChallengeMethod String?
The method used to encode the code_verifier for the code_challenge parameter. This SHOULD be S256, but the spec allows the use of plain if for some reason the client cannot support SHA256. If excluded, code_challenge is assumed to be plaintext if codeChallenge is included. Microsoft identity platform supports both plain and S256. For more information, see the PKCE RFC. This is required for single page apps using the authorization code flow.
codeVerifier String?
The same code_verifier that was used to obtain the authorization_code. Required if PKCE was used in the authorization code grant request. For more information, see the PKCE RFC.
getter/setter pair
customAuthorizationUrl String?
Override of the authorization URL, can be used to enable ADFS authentication.
customDomainUrlWithTenantId String?
When using Azure AD B2C with a custom domain or Azure Front Door, the custom domain URL must be used instead of the default URL. This will change the issuer of the token to the custom domain URL. Example: More information can be found here:
customParameters Map<String, String>
Support for custom url parameters for dynamic UI support View docs on Azure B2C:
customTokenUrl String?
Override of the token URL, can be used to enable ADFS authentication.
domainHint String?
If included, it will skip the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience - for example, sending them to their federated identity provider. Often apps will use this parameter during re-authentication, by extracting the tid from a previous sign-in. If the tid claim value is 9188040d-6c67-4c5b-b112-36a304b66dad, you should use domain_hint=consumers. Otherwise, use domain_hint=organizations.
getter/setter pair
hashCode int
The hash code for this object.
no setterinherited
isB2C bool
Using Azure AD B2C instead of standard Azure AD. Azure Active Directory B2C provides business-to-customer identity as a service.
isStub bool
Flag whether to use a stub implementation for unit testing or not
getter/setter pair
loader Widget
Loader Widget (before load web page)
getter/setter pair
loginHint String?
Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know their username ahead of time. Often apps will use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim.
getter/setter pair
Navigator key used to navigate to the login webview if interactive login is required
getter/setter pair
nonce String
AAD B2C only: A nonce is a strategy used to mitigate token replay attacks. Your application can specify a nonce in an authorization request by using the nonce query parameter. The value you provide in the request is emitted unmodified in the nonce claim of an ID token only. This claim allows your application to verify the value against the value specified on the request. Your application should perform this validation during the ID token validation process.
onPageFinished ↔ (dynamic Function(String url)?)
add onPageFinished callback
getter/setter pair
origin String?
Origin header parameter for TokenRequestDetails and TokenRefreshRequestDetails
getter/setter pair
policy String?
AAD B2C only: The user flow to be run. Specify the name of a user flow you've created in your Azure AD B2C tenant. For example: b2c_1_sign_in, b2c_1_sign_up, or b2c_1_edit_profile
postLogoutRedirectUri String?
Sign-out with a redirect On Azure logout process, it'll redirect the user to this url By this we can verify the user is logged out successfully View docs:
getter/setter pair
prompt String?
Indicates the type of user interaction that is required. The only valid values at this time are login, none, and consent.
redirectUri String
The redirect uri of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect_uris you registered in the portal, except it must be url encoded. For native & mobile apps, you should use the default value.
resource String?
responseMode String?
Specifies the method that should be used to send the resulting token back to your app. Can be one of the following:
responseType String
Must include code for the authorization code flow.
runtimeType Type
A representation of the runtime type of the object.
no setterinherited
scope String
A space-separated list of scopes that you want the user to consent to. For the /authorize leg of the request, this can cover multiple resources, allowing your app to get consent for multiple web APIs you want to call.
state String?
A value included in the request that will also be returned in the token response. It can be a string of any content that you wish. A randomly generated unique value is typically used for preventing cross-site request forgery attacks. The value can also encode information about the user's state in the app before the authentication request occurred, such as the page or view they were on.
tenant String
The tenant value in the path of the request can be used to control who can sign into the application. The allowed values are common, organizations, consumers, and tenant identifiers. Or Name of your Azure AD B2C tenant.
tokenIdentifier String
AAD B2C only: Identifies access tokens, to allow multiple concurrent sessions.
getter/setter pair
tokenUrl String
Azure AD token URL.
userAgent String?
User agent of web view. (using flutter_webview_plugin)
getter/setter pair
webUseRedirect bool
On Web only, use http redirect instead of popups to acquire an access token. This may be useful to avoid popup warnings and on iOS devices that prevent sharing of information between the popup and a Progressive web application (PWA) installed on the home screen.
getter/setter pair


noSuchMethod(Invocation invocation) → dynamic
Invoked when a nonexistent method or property is accessed.
toString() String
A string representation of this object.


operator ==(Object other) bool
The equality operator.

Static Methods

getDefaultRedirectUri() String
Determine an appropriate redirect URI for AAD authentication. On web, it is the location that the application is being served from. On mobile, it is


contentType → const String
Content type for token request.