generateAPICredentialPair function
A utility method to generate a ClientID and Client Secret Pair.
secret
may be null. If secret is null, the return value is a 'public' client. Otherwise, the
client is 'confidential'. Public clients must not include a client secret when sent to the
authorization server. Confidential clients must include the secret in all requests. Use public clients when
the source code of the client application is visible, i.e. a JavaScript browser application.
Any client that allows the authorization code flow must include redirectURI
.
Note that secret
is hashed with a randomly generated salt, and therefore cannot be retrieved
later. The plain-text secret must be stored securely elsewhere.
Implementation
AuthClient generateAPICredentialPair(
String clientID,
String? secret, {
String? redirectURI,
int hashLength = 32,
int hashRounds = 1000,
Hash? hashFunction,
}) {
if (secret == null) {
return AuthClient.public(clientID, redirectURI: redirectURI);
}
final salt = generateRandomSalt(hashLength: hashLength);
final hashed = generatePasswordHash(
secret,
salt,
hashRounds: hashRounds,
hashLength: hashLength,
hashFunction: hashFunction,
);
return AuthClient.withRedirectURI(clientID, hashed, salt, redirectURI);
}