Social login with Flutter App

marco · 25 Sept 2020, 13:59

Hey there!

We are having some difficulties with social login inside our flutter app.

Whenever we try to login using Google (for example) we are able to get the token inside the app, but when it goes through Fusion Auth there is an error.

The logged error is:

Request to the [https://www.googleapis.com/oauth2/v3/tokeninfo] endpoint failed. Status code [400].

Error response is 
{
  "error_description" : "Invalid Value"
}

Is there a way to use iOS/Android tokens inside FusionAuth?

We think that might be the problem, but if you have any suggestion would be nice.

Thank you guys.

dan · 25 Sept 2020, 22:55

Hiya,

I don't know the answer offhand, unfortunately. If I were debugging this issue, I'd make sure I could do social login with Google using a webclient, just to remove the mobile issue from the equation.

Is there a way to use iOS/Android tokens inside FusionAuth?

I'm not quite sure what you mean there. Can you explain further?

marco · 29 Sept 2020, 15:57

Hey dan, thanks for taking the time.

About your suggestion, we tried to login using a web client, and it works fine!

So, the next step would be to use a webview inside our flutter app, and it should work, right?

Unfortunately, we tested many flutter plugins for webviews, including the official one, but they all have some issues with the keyboard (most are experimental), and that will block users from logging in, because they can't type their passwords.

About the token validation error I mentioned on the first question, as flutter generates native apps, we used the mobile token provided by google developer, and that does not work because fusion auth expects a web token instead. After that experience, we tried to find a solution using the web token, but we end up with the problems above.

That is why we asked if fusion auth would allow and validate mobile tokens. I hope someone in the community have already used fusion auth social login within a flutter app.

dan · 29 Sept 2020, 23:25

Ah, makes sense.

I don't think you want to use a webview or an ios/android token. Per OAuth 2.0 for Native Apps, the recommended solution is to use the system browser:

For authorizing users in native apps, the best current practice is to
perform the OAuth authorization request in an external user-agent
(typically the browser) rather than an embedded user-agent (such as
one implemented with web-views).

You can see how this was implemented in React Native here: https://fusionauth.io/blog/2020/08/19/securing-react-native-with-oauth and here https://github.com/fusionauth/fusionauth-example-react-native

marco · 19 Oct 2020, 14:27

Hey Dan.

I just wanted to thank you for the support.

We are now using FusionAuth login pages directly (as you suggested), and it works perfectly!

For reference, we used this flutter package: https://pub.dev/packages/flutter_appauth/example

Thank you again!

dan · 3 Nov 2020, 23:17

That's awesome, glad it got worked out.

Please share here when your app is released!

mak · 3 Nov 2020, 23:17

We are new to flutter development and not sure how to integrate fusion auth, I am going thru the pointers but does not seem straightforward, if there is a sample implementation that would be awesome

dan · 5 Nov 2020, 00:39

Hiya,

We'll be releasing a flutter example app in the next few weeks. Keep an eye on the blog for it: https://fusionauth.io/blog/

mak · 6 Nov 2020, 02:03

@dan Thank you so much,

I am trying to implement it and using the below function, but it redirects to the fusionAuth UI but when on the callback I see the below error

 result =
        await appAuth.authorizeAndExchangeCode(
          AuthorizationTokenRequest(
            FUSIONAUTH_CLIENTID,
            FUSIONAUTH_REDIRECT_URI,
//            issuer: FUSIONAUTH_ISSUER,
            discoveryUrl: FUSIONAUTH_DISCOVERY_URL,
            scopes: <String>['openid', 'profile', 'offline_access'],
            // promptValues: ['login']
          ),
        );```

I am getting thee error below
===================
PlatformException(authorize_and_exchange_code_failed, Failed to authorize:[error: invalid_client, description: Client
authentication missing aaas Basic Authorization header or credentials in the body(or some combination of them.], null, null)

dan · 10 Nov 2020, 18:16

You could try turning off "Require authentication" in the application's OAuth tab and seeing if that helps.

If that fixes it, it seems like the FusionAuth dart client isn't properly providing the client secret to FusionAuth, which seems like a bug. If so, can you file an issue here: https://github.com/fusionauth/fusionauth-dart-client

dan · 15 Apr 2021, 20:47

Just wanted to update. A user opened: https://github.com/FusionAuth/fusionauth-dart-client/issues/7

To clear things up, with a public client like a mobile application, you can't safely store a client secret (it'll be shared among all the native apps and can be found via decompilation).

In this scenario, you should disable Require authentication in the FusionAuth Application configuration and use PKCE to secure communication with the Token endpoint.

You can use the exchangeOAuthCodeForAccessTokenUsingPKCE client method to do so.

This is also outlined here: https://fusionauth.io/docs/v1/tech/client-libraries/dart/