[flutter_appauth][flutter_appauth_platform_interface] added support for end session requests (MaikuB#216)

* progress on end session on iOS

* various fixes

* further updates to platform interface to handle end session requests

* bump AppAuth iOS dependency to 1.4.0

* update AuthorizationServiceConfiguration to have nullable props

* complete wiring up end session request on Android and iOS

* update plugin for prerelease

* add missing changelog entry on SDK dependencies being bumped

* update Dart SDK constraints

* update readmes and add mention to changelog

* fix null endSessionEndpoint crash on iOS

* bump platform interface

* fix merge issue

* bump plugin

* Skip https issuer check if allowInsecureConnections is true. (MaikuB#228)

* bump to 2.0.0-dev.3

* bump AppAuth Android dependency

* create external user agent per request, which also issue where cancelling an end session request once won't allow for subsequent sessions to work

* fix example app so that refreshing access token works again

* bump for release

* fix imports in example app

* fix spacing in changelog

* bump platform interface to 4.0.0 stable release

* bump plugin to 2.0.0 stable

Co-authored-by: Roman Fürst <r.fuerst@gmx.ch>

Author: MaikuB

README.md

@@ -1,5 +1,5 @@
 # flutter_appauth
 A Flutter plugin that provides a wrapper for native AppAuth SDKs (https://appauth.io) used authenticating and authorizing users. The repository consists of the following folders
 
-- flutter_appauth: code for the plugin
-- flutter_appauth_platform_interface: the code for common platform interface
+- [flutter_appauth](https://github.com/MaikuB/flutter_appauth/tree/master/flutter_appauth): code for the plugin
+- [flutter_appauth_platform_interface](https://github.com/MaikuB/flutter_appauth/tree/master/flutter_appauth_platform_interface): the code for common platform interface

flutter_appauth/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 2.0.0
+
+* **Breaking change** `AuthorizationServiceConfiguration` constructor has changed to take named parameters
+* Added `endSession()` method, `EndSessionRequest` and `EndSessionResponse` classes to support end session requests
+* [Android] skips https issuer check if `allowInsecureConnections` is true. Thanks to the PR from [Roman Fürst](https://github.com/rfuerst87)
+* Bumped AppAuth Android and iOS SDK dependencies
+* Added FAQs section to readme to describe a common iOS issue with Azure B2C and Azure AD
+
 ## 1.1.1
 
 * [Android] Migrate maven repository from jcenter to mavenCentral.

flutter_appauth/README.md

@@ -54,15 +54,15 @@ final AuthorizationTokenResponse result = await appAuth.authorizeAndExchangeCode
                   );
 ```
 
-If you already know the authorization and token endpoints, which may be because discovery isn't supported, then these could be explicitly specified
+In the event that discovery isn't supported or that you already know the endpoints for your server, they could be explicitly specified in the event that the dis
 
 ```dart
 final AuthorizationTokenResponse result = await appAuth.authorizeAndExchangeCode(
                     AuthorizationTokenRequest(
                       '<client_id>',
                       '<redirect_url>',
-                      serviceConfiguration: AuthorizationServiceConfiguration('<authorization_endpoint>', '<token_endpoint>'),
-                      scopes: ['openid','profile', 'email', 'offline_access', 'api']
+                      serviceConfiguration: AuthorizationServiceConfiguration(authorizationEndpoint: '<authorization_endpoint>',  tokenEndpooint: '<token_endpoint>', endSessionEndpoint: '<end_session_endpoint>'),
+                      scopes: [...]
                     ),
                   );
 ```
@@ -90,6 +90,19 @@ final TokenResponse result = await appAuth.token(TokenRequest('<client_id>', '<r
         scopes: ['openid','profile', 'email', 'offline_access', 'api']));
 ```
 
+### End session
+
+If your server has an [end session endpoint](https://openid.net/specs/openid-connect-rpinitiated-1_0.html), you can trigger an end session request that is typically used for logging out of the built-in browser with code similar to what's shown below
+
+```dart
+await appAuth.endSession(EndSessionRequest(
+          idTokenHint: '<idToken>',
+          postLogoutRedirectUrl: '<postLogoutRedirectUrl>',
+          serviceConfiguration: AuthorizationServiceConfiguration(authorizationEndpoint: '<authorization_endpoint>',  tokenEndpooint: '<token_endpoint>', endSessionEndpoint: '<end_session_endpoint>'));
+```
+
+The above code passes an `AuthorizationServiceConfiguration` with all the endpoints defined but alternatives are to specify an `issuer` or `discoveryUrl` like you would with the other APIs in the plugin (e.g. `authorizeAndExchangeCode()`).
+
 ## Android setup
 
 Go to the `build.gradle` file for your Android app to specify the custom scheme so that there should be a section in it that look similar to the following but replace `<your_custom_scheme>` with the desired value
@@ -145,3 +158,9 @@ Go to the `Info.plist` for your iOS app to specify the custom scheme so that the
     </dict>
 </array>
 ```
+
+## FAQs
+
+**When connecting to Azure B2C or Azure AD, the login request redirects properly on Android but not on iOS. What's going on?**
+
+The AppAuth iOS SDK has some logic to validate the redirect URL to see if it should be responsible for processing the redirect. This appears to be failing under certain circumstances. Adding a trailing slash to the redirect URL specified in your code has been reported to fix the issue.

flutter_appauth/android/src/main/java/io/crossingthestreams/flutterappauth/FlutterAppauthPlugin.java

@@ -1,7 +1,7 @@
 import 'dart:io' show Platform;
 import 'package:flutter/material.dart';
-import 'package:http/http.dart' as http;
 import 'package:flutter_appauth/flutter_appauth.dart';
+import 'package:http/http.dart' as http;
 
 void main() => runApp(MyApp());
 
@@ -17,6 +17,8 @@ class _MyAppState extends State<MyApp> {
   String? _authorizationCode;
   String? _refreshToken;
   String? _accessToken;
+  String? _idToken;
+
   final TextEditingController _authorizationCodeTextController =
       TextEditingController();
   final TextEditingController _accessTokenTextController =
@@ -27,14 +29,15 @@ class _MyAppState extends State<MyApp> {
   final TextEditingController _idTokenTextController = TextEditingController();
   final TextEditingController _refreshTokenTextController =
       TextEditingController();
-  String _userInfo = '';
+  String? _userInfo;
 
   // For a list of client IDs, go to https://demo.identityserver.io
   final String _clientId = 'interactive.public';
   final String _redirectUrl = 'io.identityserver.demo:/oauthredirect';
   final String _issuer = 'https://demo.identityserver.io';
   final String _discoveryUrl =
       'https://demo.identityserver.io/.well-known/openid-configuration';
+  final String _postLogoutRedirectUrl = 'io.identityserver.demo:/';
   final List<String> _scopes = <String>[
     'openid',
     'profile',
@@ -45,13 +48,10 @@ class _MyAppState extends State<MyApp> {
 
   final AuthorizationServiceConfiguration _serviceConfiguration =
       const AuthorizationServiceConfiguration(
-          'https://demo.identityserver.io/connect/authorize',
-          'https://demo.identityserver.io/connect/token');
-
-  @override
-  void initState() {
-    super.initState();
-  }
+    authorizationEndpoint: 'https://demo.identityserver.io/connect/authorize',
+    tokenEndpoint: 'https://demo.identityserver.io/connect/token',
+    endSessionEndpoint: 'https://demo.identityserver.io/connect/endsession',
+  );
 
   @override
   Widget build(BuildContext context) {
@@ -95,6 +95,14 @@ class _MyAppState extends State<MyApp> {
                 child: const Text('Refresh token'),
                 onPressed: _refreshToken != null ? _refresh : null,
               ),
+              ElevatedButton(
+                child: const Text('End session'),
+                onPressed: _idToken != null
+                    ? () async {
+                        await _endSession();
+                      }
+                    : null,
+              ),
               const Text('authorization code'),
               TextField(
                 controller: _authorizationCodeTextController,
@@ -116,22 +124,48 @@ class _MyAppState extends State<MyApp> {
                 controller: _refreshTokenTextController,
               ),
               const Text('test api results'),
-              Text(_userInfo),
+              Text(_userInfo ?? ''),
             ],
           ),
         ),
       ),
     );
   }
 
+  Future<void> _endSession() async {
+    try {
+      _setBusyState();
+      await _appAuth.endSession(EndSessionRequest(
+          idTokenHint: _idToken,
+          postLogoutRedirectUrl: _postLogoutRedirectUrl,
+          serviceConfiguration: _serviceConfiguration));
+      _clearSessionInfo();
+    } catch (_) {}
+    _clearBusyState();
+  }
+
+  void _clearSessionInfo() {
+    setState(() {
+      _codeVerifier = null;
+      _authorizationCode = null;
+      _authorizationCodeTextController.clear();
+      _accessToken = null;
+      _accessTokenTextController.clear();
+      _idToken = null;
+      _idTokenTextController.clear();
+      _refreshToken = null;
+      _refreshTokenTextController.clear();
+      _accessTokenExpirationTextController.clear();
+      _userInfo = null;
+    });
+  }
+
   Future<void> _refresh() async {
     try {
       _setBusyState();
       final TokenResponse? result = await _appAuth.token(TokenRequest(
           _clientId, _redirectUrl,
-          refreshToken: _refreshToken,
-          discoveryUrl: _discoveryUrl,
-          scopes: _scopes));
+          refreshToken: _refreshToken, issuer: _issuer, scopes: _scopes));
       _processTokenResponse(result);
       await _testApi(result);
     } catch (_) {
@@ -230,7 +264,7 @@ class _MyAppState extends State<MyApp> {
   void _processAuthTokenResponse(AuthorizationTokenResponse response) {
     setState(() {
       _accessToken = _accessTokenTextController.text = response.accessToken!;
-      _idTokenTextController.text = response.idToken!;
+      _idToken = _idTokenTextController.text = response.idToken!;
       _refreshToken = _refreshTokenTextController.text = response.refreshToken!;
       _accessTokenExpirationTextController.text =
           response.accessTokenExpirationDateTime!.toIso8601String();
@@ -250,7 +284,7 @@ class _MyAppState extends State<MyApp> {
   void _processTokenResponse(TokenResponse? response) {
     setState(() {
       _accessToken = _accessTokenTextController.text = response!.accessToken!;
-      _idTokenTextController.text = response.idToken!;
+      _idToken = _idTokenTextController.text = response.idToken!;
       _refreshToken = _refreshTokenTextController.text = response.refreshToken!;
       _accessTokenExpirationTextController.text =
           response.accessTokenExpirationDateTime!.toIso8601String();

flutter_appauth/example/lib/main.dart

@@ -5,6 +5,8 @@ export 'package:flutter_appauth_platform_interface/flutter_appauth_platform_inte
         AuthorizationServiceConfiguration,
         AuthorizationTokenRequest,
         AuthorizationTokenResponse,
+        EndSessionRequest,
+        EndSessionResponse,
         GrantType,
         TokenRequest,
         TokenResponse;

flutter_appauth/ios/Classes/FlutterAppauthPlugin.m

@@ -16,4 +16,8 @@ class FlutterAppAuth {
   Future<TokenResponse?> token(TokenRequest request) {
     return FlutterAppAuthPlatform.instance.token(request);
   }
+
+  Future<EndSessionResponse?> endSession(EndSessionRequest request) {
+    return FlutterAppAuthPlatform.instance.endSession(request);
+  }
 }

flutter_appauth/lib/flutter_appauth.dart

@@ -1,6 +1,6 @@
 name: flutter_appauth
 description: This plugin provides an abstraction around the Android and iOS AppAuth SDKs so it can be used to communicate with OAuth 2.0 and OpenID Connect providers
-version: 1.1.1
+version: 2.0.0
 homepage: https://github.com/MaikuB/flutter_appauth/tree/master/flutter_appauth
 
 environment:
@@ -10,7 +10,7 @@ environment:
 dependencies:
   flutter:
     sdk: flutter
-  flutter_appauth_platform_interface: ^3.0.0
+  flutter_appauth_platform_interface: ^4.0.0
 
 flutter:
   plugin:

flutter_appauth/lib/src/flutter_appauth.dart

@@ -1,3 +1,8 @@
+## [4.0.0]
+
+* **Breaking change** `AuthorizationServiceConfiguration` constructor has changed to take named parameters
+* Added `endSession()` method, `EndSessionRequest` and `EndSessionResponse` classes to support end session requests
+
 ## [3.1.0]
 
 * Added the ability to specify the response mode for authorization requests. This can be done using the `responseMode` parameter  when constructing either an `AuthorizationRequest` or `AuthorizationTokenRequest`. This was done as the AppAuth Android SDK throws an exception when this was done via `additionalParameters`

flutter_appauth/pubspec.yaml

@@ -3,6 +3,8 @@ export 'src/authorization_response.dart';
 export 'src/authorization_service_configuration.dart';
 export 'src/authorization_token_request.dart';
 export 'src/authorization_token_response.dart';
+export 'src/end_session_request.dart';
+export 'src/end_session_response.dart';
 export 'src/grant_types.dart';
 export 'src/token_request.dart';
 export 'src/token_response.dart';

flutter_appauth_platform_interface/CHANGELOG.md

@@ -0,0 +1,18 @@
+import 'authorization_service_configuration.dart';
+
+mixin AcceptedAuthorizationServiceConfigurationDetails {
+  /// The issuer.
+  String? issuer;
+
+  /// The URL of where the discovery document can be found.
+  String? discoveryUrl;
+
+  /// The details of the OAuth 2.0 endpoints that can be explicitly provided when discovery isn't used or not possible.
+  AuthorizationServiceConfiguration? serviceConfiguration;
+
+  void assertConfigurationInfo() {
+    assert(
+        issuer != null || discoveryUrl != null || serviceConfiguration != null,
+        'Either the issuer, discovery URL or service configuration must be provided');
+  }
+}

flutter_appauth_platform_interface/lib/flutter_appauth_platform_interface.dart

@@ -8,12 +8,12 @@ class AuthorizationRequest extends CommonRequestDetails
   AuthorizationRequest(
     String clientId,
     String redirectUrl, {
+    String? issuer,
+    String? discoveryUrl,
+    AuthorizationServiceConfiguration? serviceConfiguration,
     String? loginHint,
     List<String>? scopes,
-    AuthorizationServiceConfiguration? serviceConfiguration,
     Map<String, String>? additionalParameters,
-    String? issuer,
-    String? discoveryUrl,
     List<String>? promptValues,
     bool allowInsecureConnections = false,
     bool preferEphemeralSession = false,
@@ -31,5 +31,6 @@ class AuthorizationRequest extends CommonRequestDetails
     this.allowInsecureConnections = allowInsecureConnections;
     this.preferEphemeralSession = preferEphemeralSession;
     this.responseMode = responseMode;
+    assertConfigurationInfo();
   }
 }

flutter_appauth_platform_interface/lib/src/accepted_authorization_service_configuration_details.dart

@@ -1,10 +1,13 @@
 class AuthorizationServiceConfiguration {
-  const AuthorizationServiceConfiguration(
-    this.authorizationEndpoint,
-    this.tokenEndpoint,
-  );
+  const AuthorizationServiceConfiguration({
+    required this.authorizationEndpoint,
+    required this.tokenEndpoint,
+    this.endSessionEndpoint,
+  });
 
   final String authorizationEndpoint;
 
   final String tokenEndpoint;
+
+  final String? endSessionEndpoint;
 }

flutter_appauth_platform_interface/lib/src/authorization_request.dart

@@ -1,24 +1,16 @@
-import 'authorization_service_configuration.dart';
+import 'accepted_authorization_service_configuration_details.dart';
 
-class CommonRequestDetails {
+class CommonRequestDetails
+    with AcceptedAuthorizationServiceConfigurationDetails {
   /// The client id.
   late String clientId;
 
-  /// The issuer.
-  String? issuer;
-
-  /// The URL of where the discovery document can be found.
-  String? discoveryUrl;
-
   /// The redirect URL.
   late String redirectUrl;
 
   /// The request scopes.
   List<String>? scopes;
 
-  /// The details of the OAuth 2.0 endpoints that can be explicitly when discovery isn't used or not possible.
-  AuthorizationServiceConfiguration? serviceConfiguration;
-
   /// Additional parameters to include in the request.
   Map<String, String>? additionalParameters;
 

flutter_appauth_platform_interface/lib/src/authorization_service_configuration.dart

@@ -0,0 +1,40 @@
+import 'package:flutter_appauth_platform_interface/flutter_appauth_platform_interface.dart';
+import 'package:flutter_appauth_platform_interface/src/accepted_authorization_service_configuration_details.dart';
+
+class EndSessionRequest with AcceptedAuthorizationServiceConfigurationDetails {
+  EndSessionRequest({
+    this.idTokenHint,
+    this.postLogoutRedirectUrl,
+    this.state,
+    this.allowInsecureConnections = false,
+    this.additionalParameters,
+    String? issuer,
+    String? discoveryUrl,
+    AuthorizationServiceConfiguration? serviceConfiguration,
+  }) {
+    assert((idTokenHint == null && postLogoutRedirectUrl == null) ||
+        (idTokenHint != null && postLogoutRedirectUrl != null));
+    this.serviceConfiguration = serviceConfiguration;
+    this.issuer = issuer;
+    this.discoveryUrl = discoveryUrl;
+  }
+
+  /// Represents the ID token previously issued to the user.
+  ///
+  /// Used to indicate the identity of the user requesting to be logged out.
+  final String? idTokenHint;
+
+  /// Represents the URL to redirect to after the logout operation has been completed.
+  ///
+  /// When specified, the [idTokenHint] must also be provided.
+  final String? postLogoutRedirectUrl;
+
+  final String? state;
+
+  /// Whether to allow non-HTTPS endpoints.
+  ///
+  /// This property is only applicable to Android.
+  bool allowInsecureConnections;
+
+  final Map<String, String>? additionalParameters;
+}

flutter_appauth_platform_interface/lib/src/common_request_details.dart

@@ -0,0 +1,5 @@
+class EndSessionResponse {
+  final String? state;
+
+  EndSessionResponse(this.state);
+}

flutter_appauth_platform_interface/lib/src/end_session_request.dart

@@ -1,10 +1,12 @@
-import 'package:flutter_appauth_platform_interface/src/method_channel_flutter_appauth.dart';
 import 'package:plugin_platform_interface/plugin_platform_interface.dart';
 
 import 'authorization_request.dart';
 import 'authorization_response.dart';
 import 'authorization_token_request.dart';
 import 'authorization_token_response.dart';
+import 'end_session_request.dart';
+import 'end_session_response.dart';
+import 'method_channel_flutter_appauth.dart';
 import 'token_request.dart';
 import 'token_response.dart';
 
@@ -44,4 +46,8 @@ abstract class FlutterAppAuthPlatform extends PlatformInterface {
   Future<TokenResponse?> token(TokenRequest request) {
     throw UnimplementedError('token() has not been implemented');
   }
+
+  Future<EndSessionResponse?> endSession(EndSessionRequest request) {
+    throw UnimplementedError('endSession() has not been implemented');
+  }
 }

flutter_appauth_platform_interface/lib/src/end_session_response.dart

@@ -1,4 +1,6 @@
 import 'package:flutter/services.dart';
+import 'package:flutter_appauth_platform_interface/src/end_session_request.dart';
+import 'package:flutter_appauth_platform_interface/src/end_session_response.dart';
 
 import 'authorization_request.dart';
 import 'authorization_response.dart';
@@ -65,4 +67,14 @@ class MethodChannelFlutterAppAuth extends FlutterAppAuthPlatform {
         result['tokenType'],
         result['tokenAdditionalParameters']?.cast<String, dynamic>());
   }
+
+  @override
+  Future<EndSessionResponse?> endSession(EndSessionRequest request) async {
+    final Map<dynamic, dynamic>? result =
+        await _channel.invokeMethod('endSession', request.toMap());
+    if (result == null) {
+      return null;
+    }
+    return EndSessionResponse(result['state']);
+  }
 }

flutter_appauth_platform_interface/lib/src/flutter_appauth_platform.dart

@@ -3,6 +3,7 @@ import 'authorization_request.dart';
 import 'authorization_service_configuration.dart';
 import 'authorization_token_request.dart';
 import 'common_request_details.dart';
+import 'end_session_request.dart';
 import 'grant_types.dart';
 import 'token_request.dart';
 
@@ -20,6 +21,21 @@ Map<String, Object?> _convertCommonRequestDetailsToMap(
   };
 }
 
+extension EndSessionRequestMapper on EndSessionRequest {
+  Map<String, Object?> toMap() {
+    return <String, Object?>{
+      'idTokenHint': idTokenHint,
+      'postLogoutRedirectUrl': postLogoutRedirectUrl,
+      'state': state,
+      'allowInsecureConnections': allowInsecureConnections,
+      'additionalParameters': additionalParameters,
+      'issuer': issuer,
+      'discoveryUrl': discoveryUrl,
+      'serviceConfiguration': serviceConfiguration?.toMap(),
+    };
+  }
+}
+
 extension AuthorizationRequestParameters on AuthorizationRequest {
   Map<String, Object?> toMap() {
     return _convertAuthorizationParametersToMap(this)
@@ -29,10 +45,11 @@ extension AuthorizationRequestParameters on AuthorizationRequest {
 
 extension AuthorizationServiceConfigurationMapper
     on AuthorizationServiceConfiguration {
-  Map<String, Object> toMap() {
-    return <String, Object>{
+  Map<String, Object?> toMap() {
+    return <String, Object?>{
       'tokenEndpoint': tokenEndpoint,
       'authorizationEndpoint': authorizationEndpoint,
+      'endSessionEndpoint': endSessionEndpoint,
     };
   }
 }

flutter_appauth_platform_interface/lib/src/method_channel_flutter_appauth.dart

@@ -2,27 +2,22 @@ import 'authorization_service_configuration.dart';
 import 'common_request_details.dart';
 
 /// Details for a token exchange request.
-class TokenRequest with CommonRequestDetails {
+class TokenRequest extends CommonRequestDetails {
   TokenRequest(
     String clientId,
     String redirectUrl, {
     this.clientSecret,
     List<String>? scopes,
+    String? issuer,
+    String? discoveryUrl,
     AuthorizationServiceConfiguration? serviceConfiguration,
     Map<String, String>? additionalParameters,
     this.refreshToken,
     this.grantType,
-    String? issuer,
-    String? discoveryUrl,
     this.authorizationCode,
     this.codeVerifier,
     bool allowInsecureConnections = false,
-  }) : assert(
-            issuer != null ||
-                discoveryUrl != null ||
-                (serviceConfiguration?.authorizationEndpoint != null &&
-                    serviceConfiguration?.tokenEndpoint != null),
-            'Either the issuer, discovery URL or service configuration must be provided') {
+  }) {
     this.clientId = clientId;
     this.redirectUrl = redirectUrl;
     this.scopes = scopes;
@@ -31,6 +26,7 @@ class TokenRequest with CommonRequestDetails {
     this.issuer = issuer;
     this.discoveryUrl = discoveryUrl;
     this.allowInsecureConnections = allowInsecureConnections;
+    assertConfigurationInfo();
   }
 
   /// The client secret.

flutter_appauth_platform_interface/lib/src/method_channel_mappers.dart

@@ -1,6 +1,6 @@
 name: flutter_appauth_platform_interface
 description: A common platform interface for the flutter_appauth plugin.
-version: 3.1.0
+version: 4.0.0
 homepage: https://github.com/MaikuB/flutter_appauth/tree/master/flutter_appauth_platform_interface
 
 environment:

flutter_appauth_platform_interface/lib/src/token_request.dart

@@ -159,6 +159,26 @@ void main() {
       );
     });
   });
+
+  test('endSession', () async {
+    await flutterAppAuth.endSession(EndSessionRequest(
+        idTokenHint: 'someIdToken',
+        postLogoutRedirectUrl: 'somePostLogoutRedirectUrl',
+        state: 'someState',
+        discoveryUrl: 'someDiscoveryUrl'));
+    expect(log, <Matcher>[
+      isMethodCall('endSession', arguments: <String, Object?>{
+        'idTokenHint': 'someIdToken',
+        'postLogoutRedirectUrl': 'somePostLogoutRedirectUrl',
+        'state': 'someState',
+        'allowInsecureConnections': false,
+        'additionalParameters': null,
+        'issuer': null,
+        'discoveryUrl': 'someDiscoveryUrl',
+        'serviceConfiguration': null,
+      })
+    ]);
+  });
 }
 
 class FlutterAppAuthPlatformMock extends Mock