Skip to content

Adding DPoP feature for flutter #667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
utkrishtsahu merged 34 commits into from
Dec 10, 2025
Merged

Adding DPoP feature for flutter #667

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
fb1e954
Adding DPoP feature for flutter
utkrishtsahu Oct 6, 2025
59561ef
feat(android): Upgrade native SDK to 3.9.0 and adapt to breaking changes
utkrishtsahu Oct 14, 2025
f36ce25
adding Dp feature with platform updates
utkrishtsahu Nov 20, 2025
dcc06db
adding changes as per github action bot
utkrishtsahu Nov 20, 2025
9f037ee
addressed bot PR review comments
utkrishtsahu Nov 20, 2025
f97a18f
Merge main branch to bring DPoP branch up to date
utkrishtsahu Nov 20, 2025
284b62f
Fixing UT failure issue in CI for android,ios and macos
utkrishtsahu Nov 20, 2025
df70633
Fixed review comments by prince and claude
utkrishtsahu Nov 21, 2025
bcf3a5a
restored to java 8 and handled review comments
utkrishtsahu Nov 27, 2025
ceb6c24
Resolving Claud code review
utkrishtsahu Dec 1, 2025
5b47793
Handle review comments and added all UT for flutter including DPoP
utkrishtsahu Dec 2, 2025
8d7cc7e
addressing unit test failure for android,ios and symlink
utkrishtsahu Dec 2, 2025
866b1fb
Fix race conditions in iOS/macOS unit tests and document cache-only b…
utkrishtsahu Dec 3, 2025
3b7e369
Fix iOS/macOS unit test failures
utkrishtsahu Dec 3, 2025
36ebe7a
Resilving review comments and ios UT test failure
utkrishtsahu Dec 3, 2025
c317750
Merge remote-tracking branch 'origin/main' into DPoP_upport_flutter
utkrishtsahu Dec 3, 2025
e3e6cb6
Fix CI failures: Add missing files and update test mocks
utkrishtsahu Dec 3, 2025
accc43b
Fix iOS/macOS unit test timeouts by reverting async test changes
utkrishtsahu Dec 3, 2025
a5f483d
Fix iOS unit test timeouts by adding explicit 5s timeouts to all expe…
utkrishtsahu Dec 3, 2025
a9d50cd
fix iOS unit test timeouts by reverting to proven async/sync patterns
utkrishtsahu Dec 5, 2025
131f157
Fixes iOS UTs
NandanPrabhu Dec 5, 2025
0e65bbf
Adds scenedelegate conformance
NandanPrabhu Dec 5, 2025
2d46380
Address review comments: separate DPoP channel and simplify docs
utkrishtsahu Dec 5, 2025
c3926f2
Fix test: use correct index for CredentialsManagerMethodCallHandler
utkrishtsahu Dec 5, 2025
a29e2fd
Removed UT as per review comments
utkrishtsahu Dec 5, 2025
8740337
addresed few review comments
utkrishtsahu Dec 5, 2025
e41aade
refactor: Move DPoP utility methods from AuthenticationApi to Auth0 c…
utkrishtsahu Dec 5, 2025
6071b97
Handled review comments:Decoupling in all platforms,removal of commen…
utkrishtsahu Dec 8, 2025
5b8471d
Merge remote-tracking branch 'origin/main' into DPoP_upport_flutter
utkrishtsahu Dec 8, 2025
16055d4
added UT in CredentialsManagerHandlerTests.swift
utkrishtsahu Dec 8, 2025
fbfb893
feat: refactor DPoP operations and add tokenType parameter to userPro…
utkrishtsahu Dec 9, 2025
9cdf344
Fix iOS CredentialsManager caching tests
utkrishtsahu Dec 9, 2025
6c12e93
Fixing ios CI failure
utkrishtsahu Dec 9, 2025
2ef754e
Handling review comments UserInfoApiRequestHandler and AuthAPIUserInf…
utkrishtsahu Dec 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ env:
ruby: '3.3.1'
flutter: '3.x'
ios-simulator: iPhone 16
java: 11
java: 17
Copy link
Contributor

@pmathew92 pmathew92 Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this needs to be upgraded ?


jobs:

Expand Down
15 changes: 12 additions & 3 deletions auth0_flutter/EXAMPLES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -443,13 +443,16 @@ final auth0 = Auth0('YOUR_AUTH0_DOMAIN', 'YOUR_AUTH0_CLIENT_ID',

You can enable an additional level of user authentication before retrieving credentials using the local authentication supported by the device, for example PIN or fingerprint on Android, and Face ID or Touch ID on iOS.

To enable this, pass a `LocalAuthentication` instance when you create your `Auth0` object.

```dart
const localAuthentication =
LocalAuthentication(title: 'Please authenticate to continue');
final auth0 = Auth0('YOUR_AUTH0_DOMAIN', 'YOUR_AUTH0_CLIENT_ID',
localAuthentication: localAuthentication);
final credentials = await auth0.credentialsManager.credentials();
```
> ⚠️ On Android, your app's MainActivity.kt file must extend FlutterFragmentActivity instead of FlutterActivity for biometric prompts to work.

Check the [API documentation](https://pub.dev/documentation/auth0_flutter_platform_interface/latest/auth0_flutter_platform_interface/LocalAuthentication-class.html) to learn more about the available `LocalAuthentication` properties.

Expand Down Expand Up @@ -490,10 +493,16 @@ The Credentials Manager will only throw `CredentialsManagerException` exceptions

```dart
try {
final credentials = await auth0.credentialsManager.credentials();
// ...
final credentials = await auth0.credentialsManager.credentials();
// ...
} on CredentialsManagerException catch (e) {
print(e);
if (e.isNoCredentialsFound) {
print("No credentials stored.");
} else if (e.isTokenRenewFailed) {
print("Failed to renew tokens.");
} else {
print(e);
}
}
```

Expand Down
53 changes: 53 additions & 0 deletions auth0_flutter/MIGRATION_GUIDE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# Migration Guide

## Native SDK Version Updates

This release includes updates to the underlying native Auth0 SDKs to support new features including DPoP (Demonstrating Proof of Possession). These updates are **transparent** to your application code - no code changes are required unless you want to opt into new features like DPoP.

### Updated SDK Versions

| Platform | Previous Version | New Version | Changes |
|----------|-----------------|-------------|---------|
| **Android** | Auth0.Android 2.11.0 | Auth0.Android 3.11.0 | DPoP support, enhanced security |
| **iOS/macOS** | Auth0.swift 2.10.0 | Auth0.swift 2.14.0 | DPoP support, improved APIs |
| **Web** | auth0-spa-js 2.0 | auth0-spa-js 2.9.0 | DPoP support, bug fixes |

Copy link

Copilot AI Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The migration guide states that Auth0.Android SDK was upgraded from version 2.11.0 to 3.11.0 (line 11), which is a major version bump. However, the guide claims "no code changes are required" and that updates are "transparent" (line 5).

A major version bump (2.x to 3.x) typically indicates breaking changes. The guide should either:

  1. Clarify what breaking changes exist in the native SDK and how the Flutter wrapper handles them
  2. List any potential migration issues developers might encounter
  3. Verify that the version numbers are correct (the PR description mentions 3.10.0, but build.gradle shows 3.11.0)
Suggested change
| **Android** | Auth0.Android 2.11.0 | Auth0.Android 3.11.0 | DPoP support, enhanced security |
| **iOS/macOS** | Auth0.swift 2.10.0 | Auth0.swift 2.14.0 | DPoP support, improved APIs |
| **Web** | auth0-spa-js 2.0 | auth0-spa-js 2.9.0 | DPoP support, bug fixes |
| **Android** | Auth0.Android 2.11.0 | Auth0.Android 3.11.0 | DPoP support, enhanced security, major version bump |
| **iOS/macOS** | Auth0.swift 2.10.0 | Auth0.swift 2.14.0 | DPoP support, improved APIs |
| **Web** | auth0-spa-js 2.0 | auth0-spa-js 2.9.0 | DPoP support, bug fixes |
> **Note for Android:**
> The upgrade from Auth0.Android 2.11.0 to 3.11.0 is a major version bump. According to [Auth0.Android 3.x release notes](https://github.com/auth0/Auth0.Android/releases), this release includes some breaking changes at the native SDK level. However, the `auth0_flutter` plugin has been updated to maintain backward compatibility for all existing Flutter APIs.
>
> If you are using only the documented Flutter APIs, **no code changes are required** for this upgrade. If you use custom platform channels or depend on undocumented native behaviors, please review the [Auth0.Android 3.x migration guide](https://github.com/auth0/Auth0.Android/blob/main/MIGRATION.md) for details.
>
> If you encounter any issues after upgrading, please consult the [Auth0.Android 3.x release notes](https://github.com/auth0/Auth0.Android/releases) or open an issue.

Copilot uses AI. Check for mistakes.
### What's New

#### DPoP (Demonstrating Proof of Possession) Support
All platforms now support DPoP, an optional OAuth 2.0 security extension that cryptographically binds access tokens to your client, preventing token theft and replay attacks.

**This is an opt-in feature** - your existing authentication flows will continue to work without any changes.

To enable DPoP:
```dart
// Mobile
final credentials = await auth0.webAuthentication().login(useDPoP: true);
// Web
final auth0Web = Auth0Web('DOMAIN', 'CLIENT_ID', useDPoP: true);
```

For complete DPoP documentation, see the [README](README.md#using-dpop-demonstrating-proof-of-possession).

### Do I Need to Make Changes?

**No code changes are required** for existing functionality. The SDK updates are backward compatible.

You only need to make changes if you want to:
- βœ… Enable DPoP for enhanced security (optional)
- βœ… Use new iOS-only DPoP API methods: `getDPoPHeaders()` and `clearDPoPKey()` (optional)
Copy link
Contributor

@pmathew92 pmathew92 Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: this is not just ios specific


### Java Version Requirement (Android)

**Java 8** remains the minimum requirement for Android builds. The SDK continues to use:
- `sourceCompatibility JavaVersion.VERSION_1_8`
- `targetCompatibility JavaVersion.VERSION_1_8`

No changes to your Java setup are needed.

## What's New

This version includes support for **DPoP (Demonstrating Proof of Possession)**, an optional OAuth 2.0 security feature that cryptographically binds access tokens to a specific client. DPoP is completely opt-in and your existing authentication flows will continue to work without any modifications.

For detailed DPoP usage instructions, see the [README DPoP section](README.md#using-dpop-demonstrating-proof-of-possession).
Loading
Loading