Authentication

[FeodorFitsner]

Useful materials:

• https://github.com/Clancey/simple_auth
• https://auth0.com/blog/get-started-with-flutter-authentication/
• https://pub.dev/packages/flutter_appauth
• https://codelabs.developers.google.com/codelabs/flutter-github-client
• https://github.com/flutter/codelabs/tree/master/github-client
• https://testdriven.io/blog/oauth-python/
• Ability to specify scopes and pass token to a Python code
• Auth0 as another OAuth provider: https://auth0.com/docs/quickstart/webapp/golang/interactive
• https://auth0.com/docs/secure/attack-protection/state-parameters#use-the-stored-url-to-redirect-users

Configuring OAuth provider:

provider = GitHubOAuthProvider(
  "<client_id>",
  "<client_secret>",
  "<redirect_url>",
  ["user", "public_repo])

Authenticate (start OAuth flow) user:

auth: Authentication = page.login(provider, fetch_user=True, fetch_groups=True)
# fetch_users, fetch_groups if enabled ensure required scopes are set
page.auth # the last Authentication
page.auth.token # authentication token
page.auth.user # instance of AuthUser class
page.auth.provider # instance of OAuthProvider

Check if a session is authenticated:

if page.auth != None:
  # user is logged in

class OAuthProvider():
  _name
  client_id
  client_secret
  authorization_endpoint
  token_endpoint
  redirect_url
  def get_user():
    pass

class OAuthToken():
  token
  created
  expiresIn
  refreshToken
  scope
  token_type

class AuthUser():
  id

class GitHubUser(AuthUser):
  full_name
  email
  teams

Providers

GitHub

• authorization_endpoint: https://github.com/login/oauth/authorize
• token_endpoint: https://github.com/login/oauth/access_token
• User scope: read:user, user:email
• Groups scope: read:org
• Get emails
• Get user
• Get teams

Google

• authorization_endpoint: https://accounts.google.com/o/oauth2/auth
• token_endpoint: https://oauth2.googleapis.com/token
• User scope: https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile
• Groups scope: ?
• Get user: https://www.googleapis.com/oauth2/v3/userinfo
  • sub
  • email
  • name

Azure

• authorization_endpoint: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
• token_endpoint: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
• User scope: user.read
• Groups scope: Directory.Read.All
• Get user: https://graph.microsoft.com/v1.0/me
  • id
  • userPrincipalName
  • displayName
  • mail
• Get org: https://graph.microsoft.com/v1.0/organization
  • value
• Get memberships: https://graph.microsoft.com/v1.0/me/memberOf?$select=displayName,id
  • value

Redirect URLs

Web: http(s)://{application_url}/api/oauth/redirect
Desktop: http://localhost/api/oauth/redirect
Mobile: flet://api/oauth/redirect

login(provider) method flow

• Generate random state value, save state in Authentication object.
• Build authorization URL with redirect_url.
• Call page.oauth_login(authorization_url, state).
• Fletd stores an expiring cache object under oauth_state_{state} key and page_id:session_id value.
• Fletd calls oauth_login on a client with authorization_url and state.
• Flet client opens authorization_url in:
  • Desktop: a new browser tab/window.
  • Web: a new browser popup window: https://api.dart.dev/stable/2.18.0/dart-html/Window/open.html
  • Mobile: web view (depending on platform).
• After user login and consent on OAuth provider side:
  • Web and desktop:
    • Redirects back to redirect_url.
    • Fletd fetches page_id:session_id by oauth_state_{state} key. Verifies state.
    • Fletd sends on_authorize event to a Python code with code, error, state.
    • Fletd generates HTML output with JavaScript code closing browser window/tab.
  • Mobile:
    • Verifies state.
    • Flet client sends on_authorize event to a Python code with code, error, state.
• On Python side internal on_authorize handler called:
  • Validate state
  • Request token with code, client_secret, token_endpoint.
• user and groups optionally fetch.
• page.on_login event handler called.

[jet10000]

cool

[dhayford92]

I will like to contribute to the projects

[ObiajuluM]

is this live, I'm really looking forward to using it

[FeodorFitsner]

It's coming next week.