How to deal with OpenId Connect + PKCE and redirect_url ?

[Cristiano]

Hello all,

I'm starting with flutter and mobile development and my first assignment is to setup authn/authz using openId connect.

I've already used openId for a web application, but I'm stuck because I was not able to understand how redirect_url would work with an app running in an smartphone.

Could someone explain this to me or point me to a resource doing that, please ?

thanks

[Travis Dixon]

It might not be best practice, but I just treat the phone as a trusted client and use the password grant type and dispense with the whole redirecting dance (though I also control the identity source, I'm not letting users use their own providers)

If you really want to use the standard or implicit flows then https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uris-native-apps/ seems to have a decent idea of how it could work on mobile

[Mark Phillips]

I've had success using https://github.com/MaikuB/flutter_appauth which is a platform wrapper around the native SDKs (see https://appauth.io/ for more info) and allows use of the recommended auth code + PKCE flow.  RedirectUri in this use case is a custom URI scheme used to launch the mobile app for returning the authentication code.

[Cristiano]

Mark Phillips and Travis Dixon, many thanks !

I could understood the concept behind of redirect-uris on both android and ios. Also I was able to make my poc-app to work with flutter_appauth.

best regards,

Cristiano

[Hakeem Oriola]

Am having the same issue  using identityserver4, dotnet core 3.0 and flutter app  I will appreciate a sample code for client definition and redirect_url 

Hakeem

[Gavin Henry]

We're using flutter AppAuth package and Ory Hydra OAuth2 and OpenID project. Really nice.