AuthServer class

A OAuth 2.0 authorization server.

An AuthServer is an implementation of an OAuth 2.0 authorization server. An authorization server issues, refreshes and revokes access tokens. It also verifies previously issued tokens, as well as client and resource owner credentials.

AuthServers are typically used in conjunction with AuthController and AuthRedirectController. These controllers provide HTTP interfaces to the AuthServer for issuing and refreshing tokens. Likewise, Authorizers verify these issued tokens to protect endpoint controllers.

AuthServers can be customized through their delegate. This required property manages persistent storage of authorization objects among other tasks. There are security considerations for AuthServerDelegate implementations; prefer to use a tested implementation like ManagedAuthDelegate from package:aqueduct/managed_auth.dart.

Usage example with ManagedAuthDelegate:

    import 'package:aqueduct/aqueduct.dart';
    import 'package:aqueduct/managed_auth.dart';

    class User extends ManagedObject<_User> implements _User, ManagedAuthResourceOwner {}
    class _User extends ManagedAuthenticatable {}

    class Channel extends ApplicationChannel {
      ManagedContext context;
      AuthServer authServer;

      Future prepare() async {
        context = createContext();

        final delegate = new ManagedAuthStorage<User>(context);
        authServer = new AuthServer(delegate);

      Controller get entryPoint {
        final router = new Router();
          .link(() =>new Authorizer(authServer))
          .link(() => new ProtectedResourceController());

          .link(() => new AuthController(authServer));

        return router;
Implemented types


AuthServer(AuthServerDelegate delegate, { int hashRounds: 1000, int hashLength: 32, Hash hashFunction })
Creates a new instance of an AuthServer with a delegate. [...]


delegate AuthServerDelegate
The object responsible for carrying out the storage mechanisms of this instance. [...]
documentedAuthorizationCodeFlow APISecuritySchemeOAuth2Flow
Used during OpenAPI documentation.
documentedImplicitFlow APISecuritySchemeOAuth2Flow
Used during OpenAPI documentation.
documentedPasswordFlow APISecuritySchemeOAuth2Flow
Used during OpenAPI documentation.
hashFunction Hash
The Hash function used by the PBKDF2 algorithm to generate password hashes by this instance.
hashLength → int
The resulting key length of a password hash when generated by this instance.
hashRounds → int
The number of hashing rounds performed by this instance when validating a password.
hashCode → int
The hash code for this object.
read-only, inherited
runtimeType → Type
A representation of the runtime type of the object.
read-only, inherited


addClient(AuthClient client) → Future
Adds an OAuth2 client. [...]
authenticate(String username, String password, String clientID, String clientSecret, { Duration expiration: const Duration(hours: 24), List<AuthScope> requestedScopes }) → Future<AuthToken>
Authenticates a username and password of an ResourceOwner and returns an AuthToken upon success. [...]
authenticateForCode(String username, String password, String clientID, { int expirationInSeconds: 600, List<AuthScope> requestedScopes }) → Future<AuthCode>
Creates a one-time use authorization code for a given client ID and user credentials. [...]
documentComponents(APIDocumentContext context) → void
/// ///
documentRequirementsForAuthorizer(APIDocumentContext context, Authorizer authorizer, { List<AuthScope> scopes }) → List<APISecurityRequirement>
// //
exchange(String authCodeString, String clientID, String clientSecret, { int expirationInSeconds: 3600 }) → Future<AuthToken>
Exchanges a valid authorization code for an AuthToken. [...]
getClient(String clientID) → Future<AuthClient>
Returns a AuthClient record for its clientID. [...]
hashPassword(String password, String salt) → String
Hashes a password with salt using PBKDF2 algorithm. [...]
refresh(String refreshToken, String clientID, String clientSecret, { List<AuthScope> requestedScopes }) → Future<AuthToken>
Refreshes a valid AuthToken instance. [...]
removeClient(String clientID) → Future
Revokes a AuthClient record. [...]
revokeAllGrantsForResourceOwner(int identifier) → Future
Revokes access for an ResourceOwner. [...]
validate<T>(AuthorizationParser<T> parser, T authorizationData, { List<AuthScope> requiredScope }) → FutureOr<Authorization>
Returns an Authorization if authorizationData is valid. [...]
verify(String accessToken, { List<AuthScope> scopesRequired }) → Future<Authorization>
Returns a Authorization for accessToken. [...]
noSuchMethod(Invocation invocation) → dynamic
Invoked when a non-existent method or property is accessed.
toString() → String
Returns a string representation of this object.


operator ==(dynamic other) → bool
The equality operator.


tokenTypeBearer → const String