OAuthSession class final

A class that manages OAuth 2.0 session information with DPoP (Demonstrating Proof of Possession) support.

This class implements OAuth 2.0 token management with DPoP extension as specified in RFC 9449.

It maintains both standard OAuth token attributes and DPoP-specific components required for proof-of-possession token binding.

Token Components

  • Bearer credentials (access and refresh tokens)
  • Token metadata (type, scope, expiration)
  • Subject identifier for token binding

DPoP Components

  • Cryptographic key pair (Base64URL encoded)
  • DPoP nonce for proof freshness

The implementation follows the OAuth 2.0 DPoP security considerations:

  • Key material isolation
  • Nonce tracking for replay prevention
  • Separate storage of sensitive credentials

Example:

final session = OAuthSession(
  accessToken: 'eyJhbGciOiJSUzI1NiIsInR5cCI6ImF0K2pwdCJ9...',
  refreshToken: 'eyJhbGciOiJSUzI1NiIsInR5cCI6InJ0K2pwdCJ9...',
  tokenType: 'DPoP',
  scope: 'profile email',
  expiresAt: DateTime.now().add(Duration(hours: 1)),
  sub: '123456789',
  $dPoPNonce: 'nonce-7654321',
  $publicKey: 'eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoiMTI...',
  $privateKey: 'eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2Iiwia2lkIjoi...',
);
Available extensions

Constructors

OAuthSession({required String accessToken, required String refreshToken, required String tokenType, required String scope, required DateTime expiresAt, required String sub, required String $dPoPNonce, required String $publicKey, required String $privateKey})
Creates an OAuth session with DPoP support.

Properties

$dPoPNonce String
Server-provided DPoP nonce.
getter/setter pair
$privateKey String
Base64URL encoded private key for DPoP.
final
$publicKey String
Base64URL encoded public key for DPoP.
final
accessToken String
The DPoP-bound JWT access token.
final
expiresAt DateTime
Access token expiration timestamp.
final
hashCode int
The hash code for this object.
no setterinherited
refreshToken String
The refresh token for obtaining new access tokens.
final
runtimeType Type
A representation of the runtime type of the object.
no setterinherited
scope String
OAuth 2.0 scope string.
final
sub String
Subject identifier for token binding.
final
tokenType String
The token type identifier.
final

Methods

noSuchMethod(Invocation invocation) → dynamic
Invoked when a nonexistent method or property is accessed.
inherited
toString() String
A string representation of this object.
inherited

Operators

operator ==(Object other) bool
The equality operator.
inherited