flutter_appauth 0.6.0

  • Readme
  • Changelog
  • Example
  • Installing
  • 96

Flutter AppAuth Plugin #

pub package Build Status

A Flutter bridge for AppAuth (https://appauth.io) used authenticating and authorizing users. Note that AppAuth also supports the PKCE extension that is required some providers so this plugin should work with them.


  • This plugin requires apps to be using AndroidX. The Flutter tooling supports creating apps with AndroidX support but requires passing the androidx flag. Details on AndroidX compatibility and migration can be found here
  • If Chrome Custom Tabs are not working in your Android app, check to make sure that you have the latest version of this plugin, Android Studio, Gradle distribution and Android Gradle plugin for your app. There was previously a known issue with the Android tooling with AndroidX that should now be resolved since Android Studio 3.4 has been released

Getting Started #

Please see the example that demonstrates how to sign into the IdentityServer4 demo site (https://demo.identityserver.io). It has also been tested with Azure B2C and Google Sign-in. It is suggested that developers check the documentation of the identity provider they are using to see what capabilities it supports e.g. how to logout, what values of the prompt parameter it supports etc. API docs can be found here

The first step is to create an instance of the plugin

FlutterAppAuth appAuth = FlutterAppAuth();

Afterwards, you'll reach a point where end-users need to be authorized and authenticated. A convenience method is provided that will perform an authorization request and automatically exchange the authorization code. This can be done in a few different ways, one of which is to use the OpenID Connect Discovery

final AuthorizationTokenResponse result = await appAuth.authorizeAndExchangeCode(
                      discoveryUrl: '<discovery_url>',
                      scopes: ['openid','profile', 'email', 'offline_access', 'api'],

Here the <client_id> and <redirect_url> should be replaced by the values registered with your identity provider. The <discovery_url> would be the URL for the discovery endpoint exposed by your provider that will return a document containing information about the OAuth 2.0 endpoints among other things. This URL is obtained by concatenating the issuer with the path /.well-known/openid-configuration. For example, the full URL for the IdentityServer4 demo site is https://demo.identityserver.io/.well-known/openid-configuration. As demonstrated in the above sample code, it's also possible specify the scopes being requested.

Rather than using the full discovery URL, the issuer could be used instead so that the process retrieving the discovery document is skipped

final AuthorizationTokenResponse result = await appAuth.authorizeAndExchangeCode(
                      issuer: '<issuer>',
                      scopes: ['openid','profile', 'email', 'offline_access', 'api'],

If you already know the authorization and token endpoints, which may be because discovery isn't supported, then these could be explicitly specified

final AuthorizationTokenResponse result = await appAuth.authorizeAndExchangeCode(
                      serviceConfiguration: AuthorizationServiceConfiguration('<authorization_endpoint>', '<token_endpoint>'),
                      scopes: ['openid','profile', 'email', 'offline_access', 'api']

Upon completing the request successfully, the method should return an object (the result variable in the above sample code is an instance of the AuthorizationTokenResponse class) that contain details that should be stored for future use e.g. access token, refresh token etc.

If you would prefer to not have the automatic code exchange to happen then can call the authorize method instead of the authorizeAndExchangeCode method. This will return an instance of the AuthorizationResponse class that will contain the code verifier that AppAuth generated (as part of implementing PKCE) when issuing the authorization request, the authorization code and additional parameters should they exist. Both of the code verifier and authorization code would need to be stored so they can then be reused to exchange the code later on e.g.

final AuthorizationTokenResponse result = await appAuth.token(TokenRequest('<client_id>', '<redirect_url>',
        authorizationCode: '<authorization_code>',
        discoveryUrl: '<discovery_url>',
        codeVerifier: '<code_verifier>',
        scopes: ['openid','profile', 'email', 'offline_access', 'api']));

Refreshing tokens #

Some providers may return a refresh token that could be used to refresh short-lived access tokens. A request to get a new access token before it expires could be made that would like similar to the following code

final AuthorizationTokenResponse result = await appAuth.token(TokenRequest('<client_id>', '<redirect_url>',
        discoveryUrl: '<discovery_url>',
        refreshToken: '<refresh_token>',
        scopes: ['openid','profile', 'email', 'offline_access', 'api']));

Android setup #

Go to the build.gradle file for your Android app to specify the custom scheme so that there should be a section in it that look similar to the following but replace <your_custom_scheme> with the desired value

android {
    defaultConfig {
        manifestPlaceholders = [
                'appAuthRedirectScheme': '<your_custom_scheme>'

iOS setup #

Go to the Info.plist for your iOS app to specify the custom scheme so that there should be a section in it that look similar to the following but replace <your_custom_scheme> with the desired value


0.6.0 #

  • [Android] BREAKING CHANGE Bump Gradle plugin to 3.5.2
  • [iOS] Fix issue 63 where login_hint and promptValues was only passed when using service discovery
  • Update pubspec to match latest version of pub

0.5.0 #

  • [Android] BREAKING CHANGE Bump compile and target SDK versions to 29
  • [Android] BREAKING CHANGE Bump Gradle plugin to version 3.5.2
  • Bump example app to use Gradle distribution version 5.4.1

0.4.2 #

  • [iOS] Update AppAuth SDK dependency to 1.2 so it works on iOS 13. Thanks to the PR from Aynur Dinmukhametov

0.4.0+1 #

  • Make it clearer in the readme that AndroidX is required

0.4.0 #

  • [iOS] Update AppAuth SDK dependency to 1.1
  • Update email address in pubspec.yaml
  • Add GrantTypes class as a convenience for other developers to use
  • BREAKING CHANGE authorize method has been corrected to accept an instance of the AuthorizationRequest class as opposed to an instance of the AuthorizationTokenRequest class even though a token isn't being requested

0.3.0+1 #

  • Update email address in pubspec.yaml

0.3.0 #

  • [iOS] Explicitly set to depend on version 1.0 of the AppAuth iOS SDK
  • Added Cirrus CI configuration

0.2.1+2 #

  • Updated README to fix section on refreshing tokens where authorizationCode was shown in code snippet by mistake

0.2.1+1 #

  • Updated README to add a note suggesting developers to check the documentation of the identity provider they plan to use

0.2.1 #

  • [iOS] Fix issue with login_hint OAuth parameter (specified by the loginHint field of the AuthorizationTokenRequest and AuthorizationRequest classes). Example app has also been updated to demonstrate how to specify it
  • Added support for specifying the prompt OAuth parameter. This can be specified by populating the promptValues field in the either the AuthorizationTokenRequest or AuthorizationRequest class. Updated example app (note: code is commented out) to demonstrate how to use it

0.2.0 #

  • BREAKING CHANGE Updated the Android Gradle plugin to version 3.4.0. Applies to both the library and sample app
  • Updated README with a note for developers to check to see if their development environment on the Android is up to date as this should now be fixed with the release of Android Studio 3.4
  • Updated the Gradle distribution used by the example app to 5.1.1

0.1.1 #

  • Changed the request codes used internally on the Android side to be less than 16 bits. Thanks to the PR from Dviejopomata

0.1.0 #

  • BREAKING CHANGE Updated lower bound of the Dark SDK constraints from 2.0.0-dev.68.0 to 2.1.0
  • Added more details to the error messages when platform exceptions are raised e.g. when problems occur exchanging the authorization code. Note that there will be differences in the level of details that will be returned on each platform. This is due the differences between the SDKs on each platform

0.0.4+1 #

  • No functional changes in this release. Just remove old comment in the code and changes to format the README more nicely

0.0.4 #

  • BREAKING CHANGE renamed authorizeAndExchangeToken method to authorizeAndExchangeCode to reflect what happens behind the scenes
  • Added an authorize method that performs an authorization request to get an authorization code without exchanging it
  • Updated README and sample code to demonstrate the use of the authorize method, how to exchange the authorization code for tokens and how to perform an authorization request that will retrieve the disocvery document with an issuer instead of the full discovery endpoint URL.

0.0.3+1 #

  • Fix code around inferring grant type.
  • Update plugin description

0.0.3 #

  • Fix to infer grant type based on what is provided when creating a token request (currently only refresh token is supported);
  • Update README to include link to https://appauth.io
  • Update example to include (commented out) code where the authorization and token endpoints can be explicit set instead of relying on discovery to fetch those endpoints

0.0.2+1 #

  • Switch example to connect to test instance of IdentityServer4

0.0.2 #

  • Fix error when either discoveryUrl or issuer has been passed to the AuthorizationTokenRequest constructor

0.0.1+1 #

  • Update the README to add sections for setting up on Android and iOS

0.0.1 #

  • Initial release of the plugin.


flutter_appauth_example #

Demonstrates how to use the flutter_appauth plugin.

Getting Started #

This project is a starting point for a Flutter application.

A few resources to get you started if this is your first Flutter project:

For help getting started with Flutter, view our online documentation, which offers tutorials, samples, guidance on mobile development, and a full API reference.

Use this package as a library

1. Depend on it

Add this to your package's pubspec.yaml file:

  flutter_appauth: ^0.6.0

2. Install it

You can install packages from the command line:

with Flutter:

$ flutter pub get

Alternatively, your editor might support flutter pub get. Check the docs for your editor to learn more.

3. Import it

Now in your Dart code, you can use:

import 'package:flutter_appauth/flutter_appauth.dart';
Describes how popular the package is relative to other packages. [more]
Code health derived from static analysis. [more]
Reflects how tidy and up-to-date the package is. [more]
Weighted score of the above. [more]
Learn more about scoring.

We analyzed this package on Jan 21, 2020, and provided a score, details, and suggestions below. Analysis was completed with status completed using:

  • Dart: 2.7.0
  • pana: 0.13.4
  • Flutter: 1.12.13+hotfix.5


Package Constraint Resolved Available
Direct dependencies
Dart SDK >=2.1.0 <3.0.0
flutter 0.0.0
Transitive dependencies
collection 1.14.11 1.14.12
meta 1.1.8
sky_engine 0.0.99
typed_data 1.1.6
vector_math 2.0.8