Closed davideravasi closed 1 year ago
@davideravasi I think this authorizeAndExchangeCode
is the PKCE flow, but I could not find the implementation
There's no tutorial for this so you would need to find one online yourself should one even exist. As this library is a wrapper for the iOS and Android SDK, you can see if there are examples for those not just Flutter-specific ones. In saying that, my understanding was by default it should be implementing PKCE with the underlying SDKs generating the appropriate/default values as necessary. This means you only need to specify those values if you wanted to handle this yourself. You may need to check the docs for those SDKs to confirm
@MaikuB I don't understand. The documentations says:
A Flutter bridge for AppAuth (https://appauth.io/) used authenticating and authorizing users. Note that AppAuth also supports the PKCE extension that is required some providers so this plugin should work with them.
and now you say we need to check the SDKs to see if this (PKCE support) is true?
@adrianvintu no I was talking about checking the SDKs to confirm that it is implemented by default, meaning without having to specify values for the parameters mentioned in @davideravasi's original post
@MaikuB is that something you can do? I have no idea how this works, even after spending some time on the sources
An then maybe update the documentation
No I can't. I work on this in my spare time to begin and have other priorities. As it is provided freely and open source, it's important that the community contributes back to make maintenance sustainable, especially when it's quite likely those using plugins are doing so for commercial reasons
Can you then please remove from documentation that it's using PKCE? it's misleading
What is there in the docs to say it supports PKCE is based on the fact that both the Android and iOS SDKs state this in their own docs. Given that this plugin is a wrapper, it makes sense that the documentation is similar. With that in mind, I've no plans to remove this as doing so is even more misleading
Going back to answer your question though @davideravasi, the plugin will generate the code challenge from the code verifier. See https://github.com/MaikuB/flutter_appauth/search?q=challenge&type=
Going back to answer your question though @davideravasi, the plugin will generate the code challenge from the code verifier. See https://github.com/MaikuB/flutter_appauth/search?q=challenge&type=
Thank you for the clarification. Now, if you are able to identify this, can you tell me in the example linked here: https://pub.dev/packages/flutter_appauth/example In which point we are generating the code challenge under the hood?
If I have to guess I would say when we do _exchangeCode alias > await _appAuth.token(TokenRequest())
Correct?
No as that method code you're referring to around hitting the server's token endpoint. If you take a look at the spec again for PKCE (https://www.rfc-editor.org/rfc/rfc7636), the code challenge is only sent when the client sends an authorisation request. Meaning for this plugin it's only applicable when calling https://pub.dev/documentation/flutter_appauth/latest/flutter_appauth/FlutterAppAuth/authorize.html or https://pub.dev/documentation/flutter_appauth/latest/flutter_appauth/FlutterAppAuth/authorizeAndExchangeCode.html
Thank you very helpful. So, in _signInWithNoCodeExchange in the example above, what the library does, under the hood is creating the code challenge. Then why in the response of authorize we have only codeverifier, nonce and authorization code? No trace of code challenge apparently... Shouldn't be send (the code challenge) in the token request after authorize is cllaed?
Please ensure you read the spec as it looks like have a misunderstanding of how PKCE works and I mentioned earlier that per the spec, code challenge is only sent when the client sends an authorisation request per the spec
Thanks! I already had a look and I got your point, I will read properly through it. I think we can close the issue, just an hint, maybe in the example above we can mention with a comment something like //here under the hood a code challenge is created and sent during the authorization
Just to know is something me, as app which consumes your library, have to do nothing and the logic is done behind the scene
Will close issue then. Noted your feedback, would you be open to submitting a PR?
I created the PR tell me if it's ok :)
Hello, Me and my team are following the example shown here in order to implement a PKCE flow authentication > https://pub.dev/packages/flutter_appauth/example
Now, so far we tried the combination of
This does work but since in the _exchangeCode method we pass only:
And we don't include the Code Challenge (which should be a SHA256 based on the code verifier) I assume the combination of the 2 methods above is not really implementing the PKCE flow.
Is there a tutorial to follow to use the library to implement the desired flow? I "assume" we can use the parameter "additionalParameters" to pass the code challenge but if there is a resource somewhere would be better than trying all possible combinations.
Thank you in advance!