[flutter_appauth][flutter_appauth_platform_interface] added support f…

…or end session requests (MaikuB#216) * progress on end session on iOS * various fixes * further updates to platform interface to handle end session requests * bump AppAuth iOS dependency to 1.4.0 * update AuthorizationServiceConfiguration to have nullable props * complete wiring up end session request on Android and iOS * update plugin for prerelease * add missing changelog entry on SDK dependencies being bumped * update Dart SDK constraints * update readmes and add mention to changelog * fix null endSessionEndpoint crash on iOS * bump platform interface * fix merge issue * bump plugin * Skip https issuer check if allowInsecureConnections is true. (MaikuB#228) * bump to 2.0.0-dev.3 * bump AppAuth Android dependency * create external user agent per request, which also issue where cancelling an end session request once won't allow for subsequent sessions to work * fix example app so that refreshing access token works again * bump for release * fix imports in example app * fix spacing in changelog * bump platform interface to 4.0.0 stable release * bump plugin to 2.0.0 stable Co-authored-by: Roman Fürst <[email protected]>
wdfw-fp · Nov 17, 2021 · f8bd32e · f8bd32e
1 parent 4d9aeee
commit f8bd32e
Show file tree

Hide file tree

Showing 23 changed files with 518 additions and 146 deletions.
diff --git a/README.md b/README.md
@@ -1,5 +1,5 @@
 # flutter_appauth
 A Flutter plugin that provides a wrapper for native AppAuth SDKs (https://appauth.io) used authenticating and authorizing users. The repository consists of the following folders
 
-- flutter_appauth: code for the plugin
-- flutter_appauth_platform_interface: the code for common platform interface
+- [flutter_appauth](https://github.com/MaikuB/flutter_appauth/tree/master/flutter_appauth): code for the plugin
+- [flutter_appauth_platform_interface](https://github.com/MaikuB/flutter_appauth/tree/master/flutter_appauth_platform_interface): the code for common platform interface
diff --git a/flutter_appauth/CHANGELOG.md b/flutter_appauth/CHANGELOG.md
@@ -1,3 +1,11 @@
+## 2.0.0
+
+* **Breaking change** `AuthorizationServiceConfiguration` constructor has changed to take named parameters
+* Added `endSession()` method, `EndSessionRequest` and `EndSessionResponse` classes to support end session requests
+* [Android] skips https issuer check if `allowInsecureConnections` is true. Thanks to the PR from [Roman Fürst](https://github.com/rfuerst87)
+* Bumped AppAuth Android and iOS SDK dependencies
+* Added FAQs section to readme to describe a common iOS issue with Azure B2C and Azure AD
+
 ## 1.1.1
 
 * [Android] Migrate maven repository from jcenter to mavenCentral.

diff --git a/flutter_appauth/README.md b/flutter_appauth/README.md
@@ -54,15 +54,15 @@ final AuthorizationTokenResponse result = await appAuth.authorizeAndExchangeCode
                   );
 ```
 
-If you already know the authorization and token endpoints, which may be because discovery isn't supported, then these could be explicitly specified
+In the event that discovery isn't supported or that you already know the endpoints for your server, they could be explicitly specified in the event that the dis
 
 ```dart
 final AuthorizationTokenResponse result = await appAuth.authorizeAndExchangeCode(
                     AuthorizationTokenRequest(
                       '<client_id>',
                       '<redirect_url>',
-                      serviceConfiguration: AuthorizationServiceConfiguration('<authorization_endpoint>', '<token_endpoint>'),
-                      scopes: ['openid','profile', 'email', 'offline_access', 'api']
+                      serviceConfiguration: AuthorizationServiceConfiguration(authorizationEndpoint: '<authorization_endpoint>',  tokenEndpooint: '<token_endpoint>', endSessionEndpoint: '<end_session_endpoint>'),
+                      scopes: [...]
                     ),
                   );
 ```
@@ -90,6 +90,19 @@ final TokenResponse result = await appAuth.token(TokenRequest('<client_id>', '<r
         scopes: ['openid','profile', 'email', 'offline_access', 'api']));
 ```
 
+### End session
+
+If your server has an [end session endpoint](https://openid.net/specs/openid-connect-rpinitiated-1_0.html), you can trigger an end session request that is typically used for logging out of the built-in browser with code similar to what's shown below
+
+```dart
+await appAuth.endSession(EndSessionRequest(
+          idTokenHint: '<idToken>',
+          postLogoutRedirectUrl: '<postLogoutRedirectUrl>',
+          serviceConfiguration: AuthorizationServiceConfiguration(authorizationEndpoint: '<authorization_endpoint>',  tokenEndpooint: '<token_endpoint>', endSessionEndpoint: '<end_session_endpoint>'));
+```
+
+The above code passes an `AuthorizationServiceConfiguration` with all the endpoints defined but alternatives are to specify an `issuer` or `discoveryUrl` like you would with the other APIs in the plugin (e.g. `authorizeAndExchangeCode()`).
+
 ## Android setup
 
 Go to the `build.gradle` file for your Android app to specify the custom scheme so that there should be a section in it that look similar to the following but replace `<your_custom_scheme>` with the desired value
@@ -145,3 +158,9 @@ Go to the `Info.plist` for your iOS app to specify the custom scheme so that the
     </dict>
 </array>
 ```
+
+## FAQs
+
+**When connecting to Azure B2C or Azure AD, the login request redirects properly on Android but not on iOS. What's going on?**
+
+The AppAuth iOS SDK has some logic to validate the redirect URL to see if it should be responsible for processing the redirect. This appears to be failing under certain circumstances. Adding a trailing slash to the redirect URL specified in your code has been reported to fix the issue.
diff --git a/...auth/android/src/main/java/io/crossingthestreams/flutterappauth/FlutterAppauthPlugin.java b/...auth/android/src/main/java/io/crossingthestreams/flutterappauth/FlutterAppauthPlugin.java
diff --git a/flutter_appauth/example/lib/main.dart b/flutter_appauth/example/lib/main.dart
@@ -1,7 +1,7 @@
 import 'dart:io' show Platform;
 import 'package:flutter/material.dart';
-import 'package:http/http.dart' as http;
 import 'package:flutter_appauth/flutter_appauth.dart';
+import 'package:http/http.dart' as http;
 
 void main() => runApp(MyApp());
 
@@ -17,6 +17,8 @@ class _MyAppState extends State<MyApp> {
   String? _authorizationCode;
   String? _refreshToken;
   String? _accessToken;
+  String? _idToken;
+
   final TextEditingController _authorizationCodeTextController =
       TextEditingController();
   final TextEditingController _accessTokenTextController =
@@ -27,14 +29,15 @@ class _MyAppState extends State<MyApp> {
   final TextEditingController _idTokenTextController = TextEditingController();
   final TextEditingController _refreshTokenTextController =
       TextEditingController();
-  String _userInfo = '';
+  String? _userInfo;
 
   // For a list of client IDs, go to https://demo.identityserver.io
   final String _clientId = 'interactive.public';
   final String _redirectUrl = 'io.identityserver.demo:/oauthredirect';
   final String _issuer = 'https://demo.identityserver.io';
   final String _discoveryUrl =
       'https://demo.identityserver.io/.well-known/openid-configuration';
+  final String _postLogoutRedirectUrl = 'io.identityserver.demo:/';
   final List<String> _scopes = <String>[
     'openid',
     'profile',
@@ -45,13 +48,10 @@ class _MyAppState extends State<MyApp> {
 
   final AuthorizationServiceConfiguration _serviceConfiguration =
       const AuthorizationServiceConfiguration(
-          'https://demo.identityserver.io/connect/authorize',
-          'https://demo.identityserver.io/connect/token');
-
-  @override
-  void initState() {
-    super.initState();
-  }
+    authorizationEndpoint: 'https://demo.identityserver.io/connect/authorize',
+    tokenEndpoint: 'https://demo.identityserver.io/connect/token',
+    endSessionEndpoint: 'https://demo.identityserver.io/connect/endsession',
+  );
 
   @override
   Widget build(BuildContext context) {
@@ -95,6 +95,14 @@ class _MyAppState extends State<MyApp> {
                 child: const Text('Refresh token'),
                 onPressed: _refreshToken != null ? _refresh : null,
               ),
+              ElevatedButton(
+                child: const Text('End session'),
+                onPressed: _idToken != null
+                    ? () async {
+                        await _endSession();
+                      }
+                    : null,
+              ),
               const Text('authorization code'),
               TextField(
                 controller: _authorizationCodeTextController,
@@ -116,22 +124,48 @@ class _MyAppState extends State<MyApp> {
                 controller: _refreshTokenTextController,
               ),
               const Text('test api results'),
-              Text(_userInfo),
+              Text(_userInfo ?? ''),
             ],
           ),
         ),
       ),
     );
   }
 
+  Future<void> _endSession() async {
+    try {
+      _setBusyState();
+      await _appAuth.endSession(EndSessionRequest(
+          idTokenHint: _idToken,
+          postLogoutRedirectUrl: _postLogoutRedirectUrl,
+          serviceConfiguration: _serviceConfiguration));
+      _clearSessionInfo();
+    } catch (_) {}
+    _clearBusyState();
+  }
+
+  void _clearSessionInfo() {
+    setState(() {
+      _codeVerifier = null;
+      _authorizationCode = null;
+      _authorizationCodeTextController.clear();
+      _accessToken = null;
+      _accessTokenTextController.clear();
+      _idToken = null;
+      _idTokenTextController.clear();
+      _refreshToken = null;
+      _refreshTokenTextController.clear();
+      _accessTokenExpirationTextController.clear();
+      _userInfo = null;
+    });
+  }
+
   Future<void> _refresh() async {
     try {
       _setBusyState();
       final TokenResponse? result = await _appAuth.token(TokenRequest(
           _clientId, _redirectUrl,
-          refreshToken: _refreshToken,
-          discoveryUrl: _discoveryUrl,
-          scopes: _scopes));
+          refreshToken: _refreshToken, issuer: _issuer, scopes: _scopes));
       _processTokenResponse(result);
       await _testApi(result);
     } catch (_) {
@@ -230,7 +264,7 @@ class _MyAppState extends State<MyApp> {
   void _processAuthTokenResponse(AuthorizationTokenResponse response) {
     setState(() {
       _accessToken = _accessTokenTextController.text = response.accessToken!;
-      _idTokenTextController.text = response.idToken!;
+      _idToken = _idTokenTextController.text = response.idToken!;
       _refreshToken = _refreshTokenTextController.text = response.refreshToken!;
       _accessTokenExpirationTextController.text =
           response.accessTokenExpirationDateTime!.toIso8601String();
@@ -250,7 +284,7 @@ class _MyAppState extends State<MyApp> {
   void _processTokenResponse(TokenResponse? response) {
     setState(() {
       _accessToken = _accessTokenTextController.text = response!.accessToken!;
-      _idTokenTextController.text = response.idToken!;
+      _idToken = _idTokenTextController.text = response.idToken!;
       _refreshToken = _refreshTokenTextController.text = response.refreshToken!;
       _accessTokenExpirationTextController.text =
           response.accessTokenExpirationDateTime!.toIso8601String();