How to authenticate against an OpenID authorization server in Flutter?

Question

I'd like to consume a REST service secured with OpenID from a Flutter client targetting Android, iOS and web.

I found flutter_appauth package, but it seems not compatible with web apps.

Is there any Flutter OpenID package working on all platforms? I'd be happy with a full web solution (something using system browser and deep links).

Answer 1

Because of latest recommendations from Spring Security team (and of many other security experts), I quit using public OAuth2 clients in favor of the OAuth2 BFF pattern (I don't try to run OAuth2 flows from Flutter apps).

I described the configuration of such an OAuth2 BFF using Spring Cloud Gateway in this Baeldung article.

In this configuration, the requests between Flutter and the backend are authorized with session cookies (and CSRF tokens). The tokens are used only between the BFF and resource servers.

For the Web, there is no difference from what I exposed in the article for Angular, React, and Vue. But for Android and iOS, we have to juggle with user agents: use Dio or whatever inside the app, and the platform browser during user authentication on the authorization server.

This implies using deep links and special care to cookies when working outside of a browser.

So, for mobiles, the solution I came to involves:

• dio with requests interceptors to handle session cookie and CSRF token
• url_launcher to open the browser when following the redirection from the BFF to the authorization server
• go_router and deep links to intercept the redirection back from the authorization server and forward the URI containing the authorization code to the BFF using Dio (follow this URI, adding the session cookie)

I put more considerations for authorizing requests from a mobile application to a session-based backend in this other answer.