angel_oauth2 2.1.0

  • README.md
  • CHANGELOG.md
  • Example
  • Installing
  • Versions
  • 49

oauth2 #

Pub build status

A class containing handlers that can be used within Angel to build a spec-compliant OAuth 2.0 server, including PKCE support.

Installation #

In your pubspec.yaml:

dependencies:
  angel_framework: ^2.0.0-alpha
  angel_oauth2: ^2.0.0

Usage #

Your server needs to have definitions of at least two types:

  • One model that represents a third-party application (client) trying to access a user's profile.
  • One that represents a user logged into the application.

Define a server class as such:

import 'package:angel_oauth2/angel_oauth2.dart' as oauth2;

class MyServer extends oauth2.AuthorizationServer<Client, User> {}

Then, implement the findClient and verifyClient to ensure that the server class can not only identify a client application via a client_id, but that it can also verify its identity via a client_secret.

class _Server extends AuthorizationServer<PseudoApplication, Map> {
  final Uuid _uuid = new Uuid();

  @override
  FutureOr<PseudoApplication> findClient(String clientId) {
    return clientId == pseudoApplication.id ? pseudoApplication : null;
  }

  @override
  Future<bool> verifyClient(
      PseudoApplication client, String clientSecret) async {
    return client.secret == clientSecret;
  }
}

Next, write some logic to be executed whenever a user visits the authorization endpoint. In many cases, you will want to show a dialog:

@override
Future requestAuthorizationCode(
  PseudoApplication client,
  String redirectUri,
  Iterable<String> scopes,
  String state,
  RequestContext req,
  ResponseContext res) async {
  res.render('dialog');
}

Now, write logic that exchanges an authorization code for an access token, and optionally, a refresh token.

@override
Future<AuthorizationCodeResponse> exchangeAuthCodeForAccessToken(
  String authCode,
  String redirectUri,
  RequestContext req,
  ResponseContext res) async {
    return new AuthorizationCodeResponse('foo', refreshToken: 'bar');
}

Now, set up some routes to point the server.

void pseudoCode() {
  app.group('/oauth2', (router) {
    router
      ..get('/authorize', server.authorizationEndpoint)
      ..post('/token', server.tokenEndpoint);
  });
}

The authorizationEndpoint and tokenEndpoint handle all OAuth2 grant types.

Other Grants #

By default, all OAuth2 grant methods will throw a 405 Method Not Allowed error. To support any specific grant type, all you need to do is implement the method. The following are available, not including authorization code grant support (mentioned above):

  • implicitGrant
  • resourceOwnerPasswordCredentialsGrant
  • clientCredentialsGrant
  • deviceCodeGrant

Read the OAuth2 specification for in-depth information on each grant type.

PKCE #

In some cases, you will be using OAuth2 on a mobile device, or on some other public client, where the client cannot have a client secret.

In such a case, you may consider using PKCE.

Both the authorizationEndpoint and tokenEndpoint inject a Pkce factory into the request, so it can be used as follows:

@override
Future requestAuthorizationCode(
    PseudoApplication client,
    String redirectUri,
    Iterable<String> scopes,
    String state,
    RequestContext req,
    ResponseContext res) async {
  // Automatically throws an error if the request doesn't contain the
  // necessary information.
  var pkce = req.container.make<Pkce>();

  // At this point, store `pkce.codeChallenge` and `pkce.codeChallengeMethod`,
  // so that when it's time to exchange the auth code for a token, we can
  // create a new [Pkce] object, and verify the client.
  return await getAuthCodeSomehow(client, pkce.codeChallenge, pkce.codeChallengeMethod); 
}

@override
Future<AuthorizationTokenResponse> exchangeAuthorizationCodeForToken(
    String authCode,
    String redirectUri,
    RequestContext req,
    ResponseContext res) async {
  // When exchanging the authorization code for a token, we'll need
  // a `code_verifier` from the client, so that we can ensure
  // that the correct client is trying to use the auth code.
  //
  // If none is present, an OAuth2 exception is thrown.
  var codeVerifier = await getPkceCodeVerifier(req);

  // Next, we'll need to retrieve the code challenge and code challenge method
  // from earlier.
  var codeChallenge = await getTheChallenge();
  var codeChallengeMethod = await getTheChallengeMethod();

  // Make a new [Pkce] object.
  var pkce = new Pkce(codeChallengeMethod, codeChallenge);

  // Call `validate`. If the client is invalid, it throws an OAuth2 exception.
  pkce.validate(codeVerifier);

  // If we reach here, we know that the `code_verifier` was valid,
  // so we can return our authorization token as per usual.
  return new AuthorizationTokenResponse('...');
}

2.1.0 #

  • Updates
  • Support device_code grants.
  • Add support for PKCE.

2.0.0 #

  • Angel 2 support.

1.0.0+1 #

  • Dart2 updates + backwards compatibility assurance.

example/main.dart

// ignore_for_file: todo
import 'dart:async';
import 'package:angel_framework/angel_framework.dart';
import 'package:angel_oauth2/angel_oauth2.dart';

main() async {
  var app = new Angel();
  var oauth2 = new _ExampleAuthorizationServer();
  var _rgxBearer = new RegExp(r'^[Bb]earer ([^\n\s]+)$');

  app.group('/auth', (router) {
    router
      ..get('/authorize', oauth2.authorizationEndpoint)
      ..post('/token', oauth2.tokenEndpoint);
  });

  // Assume that all other requests must be authenticated...
  app.fallback((req, res) {
    var authToken =
        req.headers.value('authorization')?.replaceAll(_rgxBearer, '')?.trim();

    if (authToken == null) {
      throw AngelHttpException.forbidden();
    } else {
      // TODO: The user has a token, now verify it.
      // It is up to you how to store and retrieve auth tokens within your application.
      // The purpose of `package:angel_oauth2` is to provide the transport
      // across which you distribute these tokens in the first place.
    }
  });
}

class ThirdPartyApp {}

class User {}

/// A [ThirdPartyApp] can act on behalf of a [User].
class _ExampleAuthorizationServer
    extends AuthorizationServer<ThirdPartyApp, User> {
  @override
  FutureOr<ThirdPartyApp> findClient(String clientId) {
    // TODO: Add your code to find the app associated with a client ID.
    throw new UnimplementedError();
  }

  @override
  FutureOr<bool> verifyClient(ThirdPartyApp client, String clientSecret) {
    // TODO: Add your code to verify a client secret, if given one.
    throw new UnimplementedError();
  }

  @override
  FutureOr requestAuthorizationCode(
      ThirdPartyApp client,
      String redirectUri,
      Iterable<String> scopes,
      String state,
      RequestContext req,
      ResponseContext res) {
    // TODO: In many cases, here you will render a view displaying to the user which scopes are being requested.
    throw new UnimplementedError();
  }

  @override
  FutureOr<AuthorizationTokenResponse> exchangeAuthorizationCodeForToken(
      String authCode,
      String redirectUri,
      RequestContext req,
      ResponseContext res) {
    // TODO: Here, you'll convert the auth code into a full-fledged token.
    // You might have the auth code stored in a database somewhere.
    throw new UnimplementedError();
  }
}

Use this package as a library

1. Depend on it

Add this to your package's pubspec.yaml file:


dependencies:
  angel_oauth2: ^2.1.0

2. Install it

You can install packages from the command line:

with pub:


$ pub get

with Flutter:


$ flutter packages get

Alternatively, your editor might support pub get or flutter packages get. Check the docs for your editor to learn more.

3. Import it

Now in your Dart code, you can use:


import 'package:angel_oauth2/angel_oauth2.dart';
  
Version Uploaded Documentation Archive
2.1.0 Dec 15, 2018 Go to the documentation of angel_oauth2 2.1.0 Download angel_oauth2 2.1.0 archive
2.0.0 Nov 8, 2018 Go to the documentation of angel_oauth2 2.0.0 Download angel_oauth2 2.0.0 archive
1.0.0+1 Jul 9, 2018 Go to the documentation of angel_oauth2 1.0.0+1 Download angel_oauth2 1.0.0+1 archive
1.0.0 Dec 7, 2017 Go to the documentation of angel_oauth2 1.0.0 Download angel_oauth2 1.0.0 archive
1.0.0-alpha+1 Oct 16, 2017 Go to the documentation of angel_oauth2 1.0.0-alpha+1 Download angel_oauth2 1.0.0-alpha+1 archive
1.0.0-alpha Oct 16, 2017 Go to the documentation of angel_oauth2 1.0.0-alpha Download angel_oauth2 1.0.0-alpha archive
Popularity:
Describes how popular the package is relative to other packages. [more]
0
Health:
Code health derived from static analysis. [more]
98
Maintenance:
Reflects how tidy and up-to-date the package is. [more]
100
Overall:
Weighted score of the above. [more]
49
Learn more about scoring.

We analyzed this package on Feb 14, 2019, and provided a score, details, and suggestions below. Analysis was completed with status completed using:

  • Dart: 2.1.0
  • pana: 0.12.13

Platforms

Detected platforms: Flutter, other

Primary library: package:angel_oauth2/angel_oauth2.dart with components: io.

Health suggestions

Fix lib/src/server.dart. (-1.99 points)

Analysis of lib/src/server.dart reported 4 hints:

line 14 col 15: Use = to separate a named parameter from its default value.

line 14 col 41: Use = to separate a named parameter from its default value.

line 40 col 15: Use = to separate a named parameter from its default value.

line 70 col 17: Use = to separate a named parameter from its default value.

Dependencies

Package Constraint Resolved Available
Direct dependencies
Dart SDK >=2.0.0-dev <3.0.0
angel_framework ^2.0.0-alpha 2.0.0-alpha.22
angel_http_exception ^1.0.0 1.1.0
crypto ^2.0.0 2.0.6
Transitive dependencies
angel_container 1.0.0
angel_model 1.0.1
angel_route 3.0.5
charcode 1.1.2
code_buffer 1.0.1
collection 1.14.11
combinator 1.1.0
convert 2.1.1
dart2_constant 1.0.2+dart2
file 5.0.7
http2 1.0.0
http_parser 3.1.3
http_server 0.9.8+1
intl 0.15.7
matcher 0.12.4
merge_map 1.0.2
meta 1.1.7
mime 0.9.6+2
mock_request 1.0.5
path 1.6.2
quiver 2.0.1
quiver_hashcode 2.0.0
source_span 1.5.4
stack_trace 1.9.3
string_scanner 1.0.4
term_glyph 1.1.0
tuple 1.0.2
typed_data 1.1.6
Dev dependencies
angel_test ^2.0.0-alpha
angel_validate ^2.0.0-alpha
logging any 0.11.3+2
oauth2 ^1.0.0
test ^1.0.0
uuid ^1.0.0 2.0.0