Considering deprecating and discontinuing package:oauth2

[devoncarew]

This is a tracking issue for potentially deprecating and discontinuing package:oauth2.

General notes:

• this package is published under our tools.dart.dev publisher; for people who are not aware, that publisher is for packages we've authored in order to build various Dart tools (pub, analyzer, ...)
• the support commitment for the tools. packages is lower than for general dart.dev packages ; the packages are triaged occasionally, we may not be able to respond to all issues; essentially, we're ok with people taking a dependency on them but the packages don't have a strong support commitment
• our only use package:oauth2 is from the pub tool; that team doesn't have the bandwidth to maintain this package beyond the parts that they themselves use
• there are 7 open PRs for the package - from the last 3 years - including for things like additional RFCs to support
• there are 30 untriaged issues (no labels), including #126 ("Is this package still maintained?")

Paraphrasing from the above, we don't have the bandwidth to maintain this package as a general purpose solution, and from the issues and PRs, there some clear maintenance technical debt. Given that this package is from the Dart team, people can mis-interpret the intent to be to provide a general purpose or best-of-breed solution.

An alternative to the current situation is to:

• in-line the part of this package that we use into the pub client
• discontinue the package
• let the the community fork and maintain this package (or to otherwise come up with a replacement solution)

We'll leave this issue open for a few weeks while we collect feedback; thanks in advance!

---

Other data points:

• there are ~30 packages that depend on oauth2: https://pub.dev/packages?q=dependency%3Aoauth2
• the current APIs match the use cases of a command line tool, but may not match the server use-case

[hpoul]

Would be sad to see it abonded, i use it in quite a few flutter projects because it's pretty easy to understand and reason about, without many dependencies. Last time I researched alternatives, most were pretty opinionated about how they store credentials, or do it on there own internally, or even try to handle redirects as flutter plugins.
But i guess alternatives or forks would emerge anyway 🤔

[luis901101]

Same from me, I use it in several projects and also use it in a plugin oauth_webauth. Really sad to see discontinuing this package which is so simple to use and provide so clean pure dart implementation of OAuth2 grant types. I hope a different destiny for this package instead of discontinuing it.

[jjoffrey]

I use this package also, would be pretty sad if you plan to discontinue it

[ahmednfwela]

@devoncarew would it be possible to transfer this package under https://github.com/flutter/packages ?
this way the community can contribute to it easier, and issues would be triaged under https://github.com/flutter/flutter

even though this package doesn't depend on flutter, we can split it in 2 packages:

1. under dart.dev would be the oauth2 customizable protocol package (this one), perhaps with OIDC support as well.
2. under flutter.dev would be a new flutter_oauth2 package which has platform specific implementations (opening browser, redirection, persistence, etc..)

[wstrange]

oauth2 is the cornerstone of modern APIs; It is critical that there exists a good solution here.

If Google can't maintain this repo, perhaps they can fund an organization that will? Like the flutter firebase plugins - which are Google sponsored but maintained by a 3rd party.

EDIT: I know this is a pretty big ask ;-) (Google can't fund everything). But if its a case of "we have money, but not people" this could be a way forward.

[luisgustavoo]

Very saddened by this announcement.

[MeltdownInteractive]

Has any decision been made on this?
What is the suggested way going forward for implementing an oauth2 solution using Flutter?

[fingineering]

Any updates on this package?

[ahmednfwela]

We have launched package:oidc, which is the most comprehensive openid connect/oauth package to date.
The motivation for this was the possible deprecation of this package, and all the missing features it needed.

[joaquingrech]

I'm checking the oidc plugin but i see no example on something as simple as a google signin

[ahmednfwela]

@joaquingrech there is an entire example project here

as with any oauth plugin, after the initial setup, you put your client id, secret, redirect url and discovery document, and manage it using OidcUserManager

[joaquingrech]

well, i tried that example project placing google URLs and it didn't work. That's why I'm asking, it seems there are zero examples on the web using this library to create a mobile app and auth on it.

[joaquingrech]

yeah, i repeat myself, after 4 hours trying to use OIDC package, I failed not even getting a simple google login page to load. Zero examples on the web, zero examples on the doc. The documentation and readme are obsolete (missing all parameters on main page). OAuth package was working fine. If this is to replace the previous package, it has to catchup with at the bare minimum, a google login example since it's the most used login in the world.

[bivens-dev]

Once some of the work is completed on native asset bundling could it make sense that this packaged was just rewritten to wrap a more robust implementation that wasn’t written in Dart as an alternative way of reducing the maintenance burden while improving some of the building blocks available to the server side Dart community?