OAuthSession class final

A class that manages OAuth 2.0 session information with DPoP (Demonstrating Proof of Possession) support.

This class implements OAuth 2.0 token management with DPoP extension as specified in RFC 9449.

It maintains both standard OAuth token attributes and DPoP-specific components required for proof-of-possession token binding.

Token Components

  • Bearer credentials (access and refresh tokens)
  • Token metadata (type, scope, expiration)
  • Subject identifier for token binding

DPoP Components

  • Cryptographic key pair (Base64URL encoded)
  • DPoP nonce for proof freshness

The implementation follows the OAuth 2.0 DPoP security considerations:

  • Key material isolation
  • Nonce tracking for replay prevention
  • Separate storage of sensitive credentials

Security Warning

This object contains highly sensitive secrets: the DPoP private key ($privateKey) as well as the access and refresh tokens. Anyone in possession of these values can impersonate the authenticated user. Never log this object, and only persist it (e.g. via toJson) into encrypted or otherwise access-controlled storage such as the platform keychain/keystore.

Example:

final session = OAuthSession(
  accessToken: 'eyJhbGciOiJSUzI1NiIsInR5cCI6ImF0K2pwdCJ9...',
  refreshToken: 'eyJhbGciOiJSUzI1NiIsInR5cCI6InJ0K2pwdCJ9...',
  tokenType: 'DPoP',
  scope: 'profile email',
  expiresAt: DateTime.now().add(Duration(hours: 1)),
  sub: '123456789',
  $dPoPNonce: 'nonce-7654321',
  $publicKey: 'eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiMTI...',
  $privateKey: 'eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoi...',
);

Constructors

OAuthSession({required String accessToken, required String refreshToken, required String tokenType, required String scope, required DateTime expiresAt, required String sub, String? $clientId, String? $dPoPNonce, required String $publicKey, required String $privateKey})
Creates an OAuth session with DPoP support.
OAuthSession.fromJson(Map<String, dynamic> json)
Restores a session previously serialized with toJson.
factory

Properties

$clientId String?
OAuth client identifier used to obtain this session.
final
$dPoPNonce String?
Server-provided DPoP nonce.
getter/setter pair
$privateKey String
Base64URL encoded private key for DPoP.
final
$publicKey String
Base64URL encoded public key for DPoP.
final
accessToken String
The DPoP-bound JWT access token.
final
expiresAt DateTime
Access token expiration timestamp.
final
hashCode int
The hash code for this object.
no setterinherited
refreshToken String
The refresh token for obtaining new access tokens.
final
runtimeType Type
A representation of the runtime type of the object.
no setterinherited
scope String
OAuth 2.0 scope string.
final
sub String
Subject identifier for token binding.
final
tokenType String
The token type identifier.
final

Methods

noSuchMethod(Invocation invocation) → dynamic
Invoked when a nonexistent method or property is accessed.
inherited
toJson() Map<String, dynamic>
Serializes this session so it can be restored later with OAuthSession.fromJson.
toString() String
A string representation of this object.
inherited

Operators

operator ==(Object other) bool
The equality operator.
inherited