Skip to content

feat: Add FlutterWebAuth2RedirectRoute for OAuth2 PKCE web sign-in flow#5133

Open
vfiruz97 wants to merge 2 commits into
serverpod:mainfrom
vfiruz97:feat/configuration-for-oauth2-callback-route
Open

feat: Add FlutterWebAuth2RedirectRoute for OAuth2 PKCE web sign-in flow#5133
vfiruz97 wants to merge 2 commits into
serverpod:mainfrom
vfiruz97:feat/configuration-for-oauth2-callback-route

Conversation

@vfiruz97
Copy link
Copy Markdown
Contributor

@vfiruz97 vfiruz97 commented May 14, 2026
edited
Loading

Regarding @vlidholt comment in serverpod/serverpod_docs#494 (comment). This PR adds FlutterWebAuth2RedirectRoute for genericOAuth2 web sign-in flow.
Users have to call pod.configureOAuth2WebRedirectRoute(); before pod.start() instead of putting web/auth.html in setup Idp. This route that serves some Identity Providers callback. By default it serves in /auth/callback path but user can set his path and host.

NOTE: This route should be in the same host with frontend app.

This route is provider-agnostic — register it once and share it across all OAuth2 PKCE-based identity providers (Google, GitHub, Microsoft, etc.).

Pre-launch Checklist

  • I read the Contribute page and followed the process outlined there for submitting PRs.
  • This update contains only one single feature or bug fix and nothing else. (If you are submitting multiple fixes, please make multiple PRs.)
  • I read and followed the Dart Style Guide and formatted the code with dart format.
  • I listed at least one issue that this PR fixes in the description above.
  • I updated/added relevant documentation (doc comments with ///), and made sure that the documentation follows the same style as other Serverpod documentation. I checked spelling and grammar.
  • I added new tests to check the change I am making.
  • All existing and new tests are passing.
  • Any breaking changes are documented below.

If you need help, consider asking for advice on the discussion board.

Breaking changes

No breaking changes

Same-origin requirement

This route must be served from the same host and port as your Flutter web application. The redirect page uses window.postMessage and browsers enforce thatpostMessage is only delivered when the receiving window has the same origin (scheme + host + port).

example

Server

pod.webServer.addRoute(
  FlutterRoute(Directory(Uri(path: 'web/app').toFilePath()), host: 'cloud.serverpod.dev'),
  '/',
);
pod.webServer.addRoute(
  FlutterRoute(Directory(Uri(path: 'web/app').toFilePath()), host: 'accounts.serverpod.dev'),
  '/',
);

pod.configureOAuth2WebRedirectRoute(host: 'cloud.serverpod.dev'); // this route should be in the same-origin

Frontent

client.auth.initializeGoogleSignIn(
  clientId:'.apps.googleusercontent.com',
  redirectUri: 'https://cloud.serverpod.dev/auth/callback',
);

client.auth.initializeGitHubSignIn(
  clientId: '0000cc000cc',
  redirectUri: 'https://cloud.serverpod.dev/auth/callback',
);

When NOT to use

If your Flutter web app is hosted separately.
In that case, place the auth.html file provided by (flutter_web_auth_2 README)[https://pub.dev/packages/flutter_web_auth_2#web] in your Flutter app's web/ directory and use its URL as the redirectUri.

@vfiruz97 vfiruz97 mentioned this pull request May 14, 2026
Open
Zfinix
Zfinix approved these changes May 15, 2026
View reviewed changes
Copy link
Copy Markdown

@Zfinix Zfinix left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Zfinix Zfinix Zfinix approved these changes

@vlidholt vlidholt Awaiting requested review from vlidholt

@marcelomendoncasoares marcelomendoncasoares Awaiting requested review from marcelomendoncasoares

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vfiruz97 @Zfinix