OAuthSession class final
A class that manages OAuth 2.0 session information with DPoP (Demonstrating Proof of Possession) support.
This class implements OAuth 2.0 token management with DPoP extension as specified in RFC 9449.
It maintains both standard OAuth token attributes and DPoP-specific components required for proof-of-possession token binding.
Token Components
- Bearer credentials (access and refresh tokens)
- Token metadata (type, scope, expiration)
- Subject identifier for token binding
DPoP Components
- Cryptographic key pair (Base64URL encoded)
- DPoP nonce for proof freshness
The implementation follows the OAuth 2.0 DPoP security considerations:
- Key material isolation
- Nonce tracking for replay prevention
- Separate storage of sensitive credentials
Example:
final session = OAuthSession(
accessToken: 'eyJhbGciOiJSUzI1NiIsInR5cCI6ImF0K2pwdCJ9...',
refreshToken: 'eyJhbGciOiJSUzI1NiIsInR5cCI6InJ0K2pwdCJ9...',
tokenType: 'DPoP',
scope: 'profile email',
expiresAt: DateTime.now().add(Duration(hours: 1)),
sub: '123456789',
$dPoPNonce: 'nonce-7654321',
$publicKey: 'eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiMTI...',
$privateKey: 'eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoi...',
);
- Available extensions
Constructors
- OAuthSession({required String accessToken, required String refreshToken, required String tokenType, required String scope, required DateTime expiresAt, required String sub, required String $dPoPNonce, required String $publicKey, required String $privateKey})
- Creates an OAuth session with DPoP support.
Properties
- $dPoPNonce ↔ String
-
Server-provided DPoP nonce.
getter/setter pair
- $privateKey → String
-
Base64URL encoded private key for DPoP.
final
- $publicKey → String
-
Base64URL encoded public key for DPoP.
final
- accessToken → String
-
The DPoP-bound JWT access token.
final
- expiresAt → DateTime
-
Access token expiration timestamp.
final
- hashCode → int
-
The hash code for this object.
no setterinherited
- refreshToken → String
-
The refresh token for obtaining new access tokens.
final
- runtimeType → Type
-
A representation of the runtime type of the object.
no setterinherited
- scope → String
-
OAuth 2.0 scope string.
final
- sub → String
-
Subject identifier for token binding.
final
- tokenType → String
-
The token type identifier.
final
Methods
-
noSuchMethod(
Invocation invocation) → dynamic -
Invoked when a nonexistent method or property is accessed.
inherited
-
toString(
) → String -
A string representation of this object.
inherited
Operators
-
operator ==(
Object other) → bool -
The equality operator.
inherited