Authentication #1
Description
Useful materials:
- https://github.com/Clancey/simple_auth
- https://auth0.com/blog/get-started-with-flutter-authentication/
- https://pub.dev/packages/flutter_appauth
- https://codelabs.developers.google.com/codelabs/flutter-github-client
- https://github.com/flutter/codelabs/tree/master/github-client
- https://testdriven.io/blog/oauth-python/
- Ability to specify scopes and pass token to a Python code
- Auth0 as another OAuth provider: https://auth0.com/docs/quickstart/webapp/golang/interactive
- https://auth0.com/docs/secure/attack-protection/state-parameters#use-the-stored-url-to-redirect-users
Configuring OAuth provider:
provider = GitHubOAuthProvider(
"<client_id>",
"<client_secret>",
"<redirect_url>",
["user", "public_repo])Authenticate (start OAuth flow) user:
auth: Authentication = page.login(provider, fetch_user=True, fetch_groups=True)
# fetch_users, fetch_groups if enabled ensure required scopes are set
page.auth # the last Authentication
page.auth.token # authentication token
page.auth.user # instance of AuthUser class
page.auth.provider # instance of OAuthProviderCheck if a session is authenticated:
if page.auth != None:
# user is logged inclass OAuthProvider():
_name
client_id
client_secret
authorization_endpoint
token_endpoint
redirect_url
def get_user():
passclass OAuthToken():
token
created
expiresIn
refreshToken
scope
token_typeclass AuthUser():
idclass GitHubUser(AuthUser):
full_name
email
teamsProviders
GitHub
authorization_endpoint:https://github.com/login/oauth/authorizetoken_endpoint:https://github.com/login/oauth/access_token- User scope:
read:user,user:email - Groups scope:
read:org - Get emails
- Get user
- Get teams
authorization_endpoint:https://accounts.google.com/o/oauth2/authtoken_endpoint:https://oauth2.googleapis.com/token- User scope:
https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/userinfo.profile - Groups scope: ?
- Get user: https://www.googleapis.com/oauth2/v3/userinfo
- sub
- name
Azure
authorization_endpoint:https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorizetoken_endpoint:https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token- User scope:
user.read - Groups scope:
Directory.Read.All - Get user: https://graph.microsoft.com/v1.0/me
- id
- userPrincipalName
- displayName
- Get org: https://graph.microsoft.com/v1.0/organization
- value
- Get memberships: https://graph.microsoft.com/v1.0/me/memberOf?$select=displayName,id
- value
Redirect URLs
Web: http(s)://{application_url}/api/oauth/redirect
Desktop: http://localhost/api/oauth/redirect
Mobile: flet://api/oauth/redirect
login(provider) method flow
- Generate random
statevalue, savestatein Authentication object. - Build authorization URL with
redirect_url. - Call
page.oauth_login(authorization_url, state). - Fletd stores an expiring cache object under
oauth_state_{state}key andpage_id:session_idvalue. - Fletd calls
oauth_loginon a client withauthorization_urlandstate. - Flet client opens
authorization_urlin:- Desktop: a new browser tab/window.
- Web: a new browser popup window: https://api.dart.dev/stable/2.18.0/dart-html/Window/open.html
- Mobile: web view (depending on platform).
- After user login and consent on OAuth provider side:
- Web and desktop:
- Redirects back to
redirect_url. - Fletd fetches
page_id:session_idbyoauth_state_{state}key. Verifiesstate. - Fletd sends
on_authorizeevent to a Python code withcode,error,state. - Fletd generates HTML output with JavaScript code closing browser window/tab.
- Redirects back to
- Mobile:
- Verifies
state. - Flet client sends
on_authorizeevent to a Python code withcode,error,state.
- Verifies
- Web and desktop:
- On Python side internal
on_authorizehandler called:- Validate
state - Request token with
code,client_secret,token_endpoint.
- Validate
- user and groups optionally fetch.
page.on_loginevent handler called.