Flutter windows desktop support

[NandanPrabhu]

Changes

This PR consists of changes with respect to adding flutter windows desktop support.

Feature implemented PKCE flow end to end
Right now the flutter channels supported are webauthlogin and webauthlogout
CredentialsManager would be supported in another PR
Dependency management for windows is done via CMakeLists.txt file. Under the hood flutter provides C++ application as wrapper over windows

[Copilot]

Pull request overview

Copilot reviewed 55 out of 62 changed files in this pull request and generated 24 comments.

Files not reviewed (4)

• .idea/.gitignore: Language not supported
• .idea/auth0-flutter.iml: Language not supported
• .idea/modules.xml: Language not supported
• .idea/vcs.xml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Platform.isWindows is used to gate credential storage/clearing, but dart:io isn't available on web. While this file is under src/mobile, it can still be analyzed as part of the package on web builds. Consider using kIsWeb guard or conditional imports so this remains analyzer-safe for web consumers.

[Copilot]

In login(), actualCallbackUrl is merged into parameters unconditionally. That means iOS/Android/macOS will also send actualCallbackUrl=auth0flutter://callback to Auth0 as a custom authorize query parameter, which is not part of the public API and could break Rules/Actions or be rejected by some tenants. Please only inject this parameter on Windows (or keep it internal to the Windows implementation rather than passing it via parameters).

Suggested change

	// Merge custom callback parameters into the parameters map for Windows
	final mergedParameters = <String, String>{
	...parameters,
	'actualCallbackUrl': 'auth0flutter://callback',
	};
	// Merge custom callback parameters into the parameters map only on Windows
	final Map<String, String> mergedParameters = Platform.isWindows
	? <String, String>{
	...parameters,
	'actualCallbackUrl': 'auth0flutter://callback',
	}
	: parameters;

[pmathew92]

This can be avoided if we use different class to handle Desktop callback while ensuring this doesn't cause issue with the existing code for mobile and web

[NandanPrabhu]

have created a new windows_web_authentication class for the same

[Copilot]

parameters is treated as required (Missing 'parameters' key), but on the Dart side parameters defaults to {} and in general this option is typically optional. To keep API behavior consistent and avoid breaking callers using the platform interface directly, treat missing parameters as an empty map instead of returning an error.

[pmathew92]

Agree. Parameters are optional and shouldn't return error if not provided

[NandanPrabhu]

Sure. will address the same.

[Copilot]

In the minimal token response (no id_token), Credentials.idToken remains the default empty string. This assertion currently expects it to be non-empty, so the test will fail. Please change it to EXPECT_TRUE(creds.idToken.empty()) (or update DecodeTokenResponse to set a non-empty sentinel, though that would be unusual).

[Copilot]

This test uses std::set but doesn't include <set>. It may fail to compile depending on indirect includes. Please add #include <set>.

[Copilot]

jwt_util.cpp throws std::runtime_error but doesn't include <stdexcept>. This may fail to compile depending on transitive includes. Please add #include <stdexcept>.

[Copilot]

auth0_client.cpp throws std::runtime_error but doesn't include <stdexcept>. This may fail to compile depending on transitive includes. Please add the missing header.

[nandan-bhat]

We should not log / print sensitive information.
Can you fix the following logs.

  DebugPrint("codeVerifier = " + codeVerifier);
  DebugPrint("codeChallenge = " + codeChallenge);
  DebugPrint("state = " + state);

[NandanPrabhu]

yes @nandan-bhat Debug print will removed at this point. Once beta is out. We could have better logging

[sanchitmehtagit]

we should remove it before check in

[nandan-bhat]

Are we using http://localhost:8080/callback as fallback redirect URI. Is this something we followed in other mobile SDKs ?

[pmathew92]

No, this is not something we follow in other mobile SDKs. The redirect URI are constructed using the scheme and domain for mobile.
In this case we have the default auth0flutter://callback and the intermediary redirect url if provided. So the http://localhost:8080/callback might not be required
@nandan-bhat @frederikprijck

[NandanPrabhu]

in case of flutter default redirect uri wont be present. We will throw an error if redirect uri is not provided by the user on flutter side

[pmathew92]

Why do you want to throw an error here ? redirect_uri is optional. If not provided by the user, we pass the auth0flutter://callback to the authorize URL. If they want to have an intermediate page, they can pass the redirect_uri with that URI

[nandan-bhat]

Should we allow http:// ?

[frederikprijck]

Should we reverse the check, and detect standard claims from a fixed list?

[nandan-bhat]

Can you confirm if you are including actualCallbackUrl as-well here. If yes, it will show up in the payload (query params) of /authorize call.

[NandanPrabhu]

no @nandan-bhat we are not doing that. Actual callback url is the flutter app activation callback. So we are not passing it as part of authorize url

[pmathew92]

actualCallbackUrl is not required. We have a single redirect_uri which should be passed by the customer if they wish to have the intermediary workaround. Else the default redirect uri auth0flutter://callback would be used

[pmathew92]

Are we handling the scenario if someone closes the authorization browser window between the flow ? Would that return a error like Browser closed to the application from the SDK ?

[NandanPrabhu]

yes they will recieve timeout error

[pmathew92]

Should we mention the callback url here as this is a workaround we suggest for users. This should be mentioned in the example code . For windows by default we have the flutterapp://calback uri defined

[pmathew92]

Do we need the appCallbackUrl parameter at all. User can pass their intermediary url as part of the redirect_uri if required

[nandan-bhat]

I have a strong opinion about adding too many options to a public SDK. Once we add something like appCallbackUrl, customers will start using it. After that, we can’t remove it without a breaking change. And that also means we’re committing to maintaining it long-term.

I’m more aligned with what @pmathew92 suggested (using only redirect_uri). From my understanding, the developer can configure it like this:

redirect_uri: 'https://customers-domain.com/handle-redirect?target=flutterapp://callback'

Auth0 will then append ?code=34r43r.... and redirect the user to:

https://customers-domain.com/handle-redirect?target=flutterapp://callback?code=34r43r....

The intermediate page can extract both target and code, show a meaningful message to the user, and then redirect to:

flutterapp://callback?code=34r43r....

We can document a simple reference implementation of this intermediate page so it’s easy for customers to set up.

In this example we use target as the parameter name, but customers can choose any name they prefer. Because of this, I don’t see a strong need to introduce another public option like appCallbackUrl.

@frederikprijck, do you have any strong thoughts on this ?

[pmathew92]

redirectUrl can have the default value auth0flutter://callback

[nandan-bhat]

This is just decoding the payload. It's still not verifying the JWS signature.

[sanchitmehtagit]

This class is only validating the claims . We are not validating signature which could also be tempered. Please check with security guidelines or else we should get the public key from JWKS and validate the signature too

[sanchitmehtagit]

The entire login flow runs on a std::thread that is immediately .detach()ed. If the Flutter engine shuts down while the thread is running (e.g., app closes during authentication), accessing result is undefined behavior and will crash. There is also no way to cancel the authentication from the Dart side.

Current Code:
std::thread(result = std::move(result), ... mutable {
// ...
}).detach();

I would recommend to design a safe, non fire and forget solution using cpprestsdk’s pplx::task instead of detaching a thread. Check this : https://microsoft.github.io/cpprestsdk/classpplx_1_1cancellation__token__registration.html
This will:

1. Avoid undefined behavior if the Flutter engine shuts down. (no crashes)
2. Give structured async task management (no fire-and-forget)

[sanchitmehtagit]

WindowsWebAuthentication is a parallel class rather than a platform extension. WindowsWebAuthentication class exposed via auth0.windowsWebAuthentication(). This is existing platofrm where auth0.webAuthentication() works cross-platform.

from dx point of view custoemrs will now need platform conditional code like below from now on

  if (Platform.isWindows) {
    await auth0.windowsWebAuthentication().login(redirectUrl: '...');
  } else {
    await auth0.webAuthentication().login();
  }

The separate class is fine as an internal implementation detail, but it should not be the public API That must be consistent

[sanchitmehtagit]

This code is duplicate at two places . would recommend to unify it. check here : https://github.com/auth0/auth0-flutter/pull/656/changes#diff-361778dbfaf243c1651b49403a356c63e7c2f41c62770b44b7a93511db1124ecR15

[sanchitmehtagit]

logout has same code

[sanchitmehtagit]

5xx eg 503 these are server errors canot be treated as network error. we can refer android / ios SDK for this

[sanchitmehtagit]

we should remove it before check in

[sanchitmehtagit]

IdTokenValidationConfig has a nonce but we are not adding capability to add nonce here to authUrl. it is important to mitigate replay attacks . please add taht along witjh organisationid and other params

[sanchitmehtagit]

https://github.com/auth0/auth0-flutter/pull/656/changes#diff-b81bf8156bb640d7c5c9ce8bca261802f01cb6141aea422de2ddf21c99fba804R46

We are saying here it is not intended for you to instantiate this class yourself. but this is not enforce we still have a public constructor