adrianvintu
commented
1 year ago @davideravasi I think this authorizeAndExchangeCode is the PKCE flow, but I could not find the implementation
Closed davideravasi closed 1 year ago
adrianvintu
commented
1 year ago @davideravasi I think this authorizeAndExchangeCode is the PKCE flow, but I could not find the implementation
MaikuB
commented
1 year ago There's no tutorial for this so you would need to find one online yourself should one even exist. As this library is a wrapper for the iOS and Android SDK, you can see if there are examples for those not just Flutter-specific ones. In saying that, my understanding was by default it should be implementing PKCE with the underlying SDKs generating the appropriate/default values as necessary. This means you only need to specify those values if you wanted to handle this yourself. You may need to check the docs for those SDKs to confirm
adrianvintu
commented
1 year ago @MaikuB I don't understand. The documentations says:
A Flutter bridge for AppAuth (https://appauth.io/) used authenticating and authorizing users. Note that AppAuth also supports the PKCE extension that is required some providers so this plugin should work with them.
and now you say we need to check the SDKs to see if this (PKCE support) is true?
MaikuB
commented
1 year ago @adrianvintu no I was talking about checking the SDKs to confirm that it is implemented by default, meaning without having to specify values for the parameters mentioned in @davideravasi's original post
adrianvintu
commented
1 year ago @MaikuB is that something you can do? I have no idea how this works, even after spending some time on the sources
An then maybe update the documentation
MaikuB
commented
1 year ago No I can't. I work on this in my spare time to begin and have other priorities. As it is provided freely and open source, it's important that the community contributes back to make maintenance sustainable, especially when it's quite likely those using plugins are doing so for commercial reasons
adrianvintu
commented
1 year ago Can you then please remove from documentation that it's using PKCE? it's misleading
MaikuB
commented
1 year ago What is there in the docs to say it supports PKCE is based on the fact that both the Android and iOS SDKs state this in their own docs. Given that this plugin is a wrapper, it makes sense that the documentation is similar. With that in mind, I've no plans to remove this as doing so is even more misleading
MaikuB
commented
1 year ago Going back to answer your question though @davideravasi, the plugin will generate the code challenge from the code verifier. See https://github.com/MaikuB/flutter_appauth/search?q=challenge&type=
davideravasi
commented
1 year ago Going back to answer your question though @davideravasi, the plugin will generate the code challenge from the code verifier. See https://github.com/MaikuB/flutter_appauth/search?q=challenge&type=
Thank you for the clarification. Now, if you are able to identify this, can you tell me in the example linked here: https://pub.dev/packages/flutter_appauth/example In which point we are generating the code challenge under the hood?
If I have to guess I would say when we do _exchangeCode alias > await _appAuth.token(TokenRequest())
Correct?
MaikuB
commented
1 year ago No as that method code you're referring to around hitting the server's token endpoint. If you take a look at the spec again for PKCE (https://www.rfc-editor.org/rfc/rfc7636), the code challenge is only sent when the client sends an authorisation request. Meaning for this plugin it's only applicable when calling https://pub.dev/documentation/flutter_appauth/latest/flutter_appauth/FlutterAppAuth/authorize.html or https://pub.dev/documentation/flutter_appauth/latest/flutter_appauth/FlutterAppAuth/authorizeAndExchangeCode.html
davideravasi
commented
1 year ago Thank you very helpful. So, in _signInWithNoCodeExchange in the example above, what the library does, under the hood is creating the code challenge. Then why in the response of authorize we have only codeverifier, nonce and authorization code? No trace of code challenge apparently... Shouldn't be send (the code challenge) in the token request after authorize is cllaed?
MaikuB
commented
1 year ago Please ensure you read the spec as it looks like have a misunderstanding of how PKCE works and I mentioned earlier that per the spec, code challenge is only sent when the client sends an authorisation request per the spec
davideravasi
commented
1 year ago Thanks! I already had a look and I got your point, I will read properly through it. I think we can close the issue, just an hint, maybe in the example above we can mention with a comment something like //here under the hood a code challenge is created and sent during the authorization
Just to know is something me, as app which consumes your library, have to do nothing and the logic is done behind the scene
MaikuB
commented
1 year ago Will close issue then. Noted your feedback, would you be open to submitting a PR?
davideravasi
commented
1 year ago I created the PR tell me if it's ok :)
Hello, Me and my team are following the example shown here in order to implement a PKCE flow authentication > https://pub.dev/packages/flutter_appauth/example
Now, so far we tried the combination of
This does work but since in the _exchangeCode method we pass only:
And we don't include the Code Challenge (which should be a SHA256 based on the code verifier) I assume the combination of the 2 methods above is not really implementing the PKCE flow.
Is there a tutorial to follow to use the library to implement the desired flow? I "assume" we can use the parameter "additionalParameters" to pass the code challenge but if there is a resource somewhere would be better than trying all possible combinations.
Thank you in advance!