Skip to content

feat: Add FlutterWebAuth2RedirectRoute for OAuth2 PKCE web sign-in flow#5133

Merged
vfiruz97 merged 3 commits into
serverpod:mainfrom
vfiruz97:feat/configuration-for-oauth2-callback-route
May 18, 2026
Merged

feat: Add FlutterWebAuth2RedirectRoute for OAuth2 PKCE web sign-in flow#5133
vfiruz97 merged 3 commits into
serverpod:mainfrom
vfiruz97:feat/configuration-for-oauth2-callback-route

Conversation

@vfiruz97
Copy link
Copy Markdown
Contributor

@vfiruz97 vfiruz97 commented May 14, 2026
edited
Loading

Regarding @vlidholt comment in serverpod/serverpod_docs#494 (comment). This PR adds FlutterWebAuth2RedirectRoute for genericOAuth2 web sign-in flow.
Users have to register a callback router like pod.webServer.addRoute(FlutterWebAuth2CallbackRoute(), '/auth/callback'); before pod.start() instead of putting web/auth.html in setup Idp. This route that serves some Identity Providers callback. By default it serves in /auth/callback path but user can set his path and host.

NOTE: This route should be in the same host with frontend app.

This route is provider-agnostic — register it once and share it across all OAuth2 PKCE-based identity providers (Google, GitHub, Microsoft, etc.).

Pre-launch Checklist

  • I read the Contribute page and followed the process outlined there for submitting PRs.
  • This update contains only one single feature or bug fix and nothing else. (If you are submitting multiple fixes, please make multiple PRs.)
  • I read and followed the Dart Style Guide and formatted the code with dart format.
  • I listed at least one issue that this PR fixes in the description above.
  • I updated/added relevant documentation (doc comments with ///), and made sure that the documentation follows the same style as other Serverpod documentation. I checked spelling and grammar.
  • I added new tests to check the change I am making.
  • All existing and new tests are passing.
  • Any breaking changes are documented below.

If you need help, consider asking for advice on the discussion board.

Breaking changes

No breaking changes

Same-origin requirement

This route must be served from the same host and port as your Flutter web application. The redirect page uses window.postMessage and browsers enforce thatpostMessage is only delivered when the receiving window has the same origin (scheme + host + port).

example

Server

pod.webServer.addRoute(
  FlutterRoute(Directory(Uri(path: 'web/app').toFilePath()), host: 'cloud.serverpod.dev'),
  '/',
);
pod.webServer.addRoute(
  FlutterRoute(Directory(Uri(path: 'web/app').toFilePath()), host: 'accounts.serverpod.dev'),
  '/',
);

pod.webServer.addRoute(
  FlutterWebAuth2CallbackRoute(host: 'cloud.serverpod.dev'), // this route should be in the same-origin
  '/auth/callback',
);

Frontent

client.auth.initializeGoogleSignIn(
  clientId:'.apps.googleusercontent.com',
  redirectUri: 'https://cloud.serverpod.dev/auth/callback',
);

client.auth.initializeGitHubSignIn(
  clientId: '0000cc000cc',
  redirectUri: 'https://cloud.serverpod.dev/auth/callback',
);

When NOT to use

If your Flutter web app is hosted separately.
In that case, place the auth.html file provided by (flutter_web_auth_2 README)[https://pub.dev/packages/flutter_web_auth_2#web] in your Flutter app's web/ directory and use its URL as the redirectUri.

@vfiruz97 vfiruz97 mentioned this pull request May 14, 2026
Closed
Zfinix
Zfinix approved these changes May 15, 2026
View reviewed changes
Copy link
Copy Markdown

@Zfinix Zfinix left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@Zfinix Zfinix mentioned this pull request May 18, 2026
Draft
marcelomendoncasoares
marcelomendoncasoares requested changes May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@marcelomendoncasoares marcelomendoncasoares left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one suggestion to narrow down the interface and use it on all our examples.

Comment thread ...p/serverpod_auth_idp_server/lib/src/common/oauth2_pkce/flutter_web_auth2_callback_route.dart Outdated
@vfiruz97
Copy link
Copy Markdown
Contributor Author

vfiruz97 commented May 18, 2026

@Zfinix take into accont that we removed configureFlutterWebAuth2CallbackRoute extension method.
Now users have to register route on server side like this:

pod.webServer.addRoute(
  FlutterWebAuth2CallbackRoute(),
  '/auth/callback',
);

@vfiruz97 vfiruz97 requested a review from Zfinix May 18, 2026 15:34
marcelomendoncasoares
marcelomendoncasoares approved these changes May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@marcelomendoncasoares marcelomendoncasoares left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@vfiruz97 vfiruz97 merged commit aa44f10 into serverpod:main May 18, 2026
83 checks passed
@github-actions github-actions Bot locked and limited conversation to collaborators May 18, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@marcelomendoncasoares marcelomendoncasoares marcelomendoncasoares approved these changes

@vlidholt vlidholt Awaiting requested review from vlidholt

@Zfinix Zfinix Awaiting requested review from Zfinix

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vfiruz97 @marcelomendoncasoares @Zfinix