feat: add oauth2 code verifier

* fix: ensure oauth state param matches before finishing oauth flow Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * chore: upgrade openid-client to v6 Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use PKCE for oauth2 on supported clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use state and PKCE in mobile app Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: remove obsolete oauth repository init Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: rewrite callback url if mobile redirect url is enabled Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: propagate oidc client error cause when oauth callback fails Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt auth service tests to required state and PKCE params Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: update sdk types Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt oauth e2e test to work with PKCE Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: allow insecure (http) oauth clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> --------- Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> Co-authored-by: Jason Rasmussen <jason@rasm.me>
2025-11-07 17:27:20 +00:00 · 2025-04-23 16:05:00 +02:00 · 2025-04-23 16:05:00 +02:00 · b7a0cf2470
commit b7a0cf2470
parent 13d6bd67b1
18 changed files with 469 additions and 192 deletions
--- a/mobile/lib/services/oauth.service.dart
+++ b/mobile/lib/services/oauth.service.dart
@ -13,6 +13,8 @@ class OAuthService {

  Future<String?> getOAuthServerUrl(
    String serverUrl,
+    String state,
+    String codeChallenge,
  ) async {
    // Resolve API server endpoint from user provided serverUrl
    await _apiService.resolveAndSetEndpoint(serverUrl);
@ -22,7 +24,11 @@ class OAuthService {
    );

    final dto = await _apiService.oAuthApi.startOAuth(
-      OAuthConfigDto(redirectUri: redirectUri),
+      OAuthConfigDto(
+        redirectUri: redirectUri,
+        state: state,
+        codeChallenge: codeChallenge,
+      ),
    );

    final authUrl = dto?.url;
@ -31,7 +37,11 @@ class OAuthService {
    return authUrl;
  }

-  Future<LoginResponseDto?> oAuthLogin(String oauthUrl) async {
+  Future<LoginResponseDto?> oAuthLogin(
+    String oauthUrl,
+    String state,
+    String codeVerifier,
+  ) async {
    String result = await FlutterWebAuth2.authenticate(
      url: oauthUrl,
      callbackUrlScheme: callbackUrlScheme,
@ -49,6 +59,8 @@ class OAuthService {
    return await _apiService.oAuthApi.finishOAuth(
      OAuthCallbackDto(
        url: result,
+        state: state,
+        codeVerifier: codeVerifier,
      ),
    );
  }