feedback

Author: pavelgj

pkgs/oauth2/lib/src/authorization_code_grant.dart

@@ -149,7 +149,14 @@ class AuthorizationCodeGrant {
   /// as its body as a UTF-8-decoded string. It should return a map in the same
   /// format as the [standard JSON response][].
   ///
+  /// [customAuth] is an optional callback to add additional client
+  /// authentication headers or body parameters to a token request for advanced
+  /// scenarios, such as when using a JWT Bearer token for client authentication
+  /// per [RFC 7523]. When provided, it replaces the default `basicAuth`
+  /// credentials integration in token requests.
+  ///
   /// [standard JSON response]: https://tools.ietf.org/html/rfc6749#section-5.1
+  /// [RFC 7523]: https://tools.ietf.org/html/rfc7523#section-2.2
   AuthorizationCodeGrant(
       this.identifier, this.authorizationEndpoint, this.tokenEndpoint,
       {this.secret,

pkgs/oauth2/lib/src/client.dart

@@ -88,7 +88,15 @@ class Client extends http.BaseClient {
   /// [httpClient] is the underlying client that this forwards requests to after
   /// adding authorization credentials to them.
   ///
+  /// [customAuth] is an optional callback to add additional client
+  /// authentication headers or body parameters to a token request for advanced
+  /// scenarios, such as when using a JWT Bearer token for client authentication
+  /// per [RFC 7523]. When provided, it replaces the default `basicAuth`
+  /// credentials integration during refresh token requests.
+  ///
   /// Throws an [ArgumentError] if [secret] is passed without [identifier].
+  ///
+  /// [RFC 7523]: https://tools.ietf.org/html/rfc7523#section-2.2
   Client(this._credentials,
       {this.identifier,
       this.secret,

pkgs/oauth2/lib/src/client_credentials_grant.dart

@@ -39,7 +39,14 @@ import 'utils.dart';
 ///
 /// This function is passed the `Content-Type` header of the response as well as
 /// its body as a UTF-8-decoded string. It should return a map in the same
-/// format as the [standard JSON response](https://tools.ietf.org/html/rfc6749#section-5.1)
+/// format as the [standard JSON response](https://tools.ietf.org/html/rfc6749#section-5.1).
+///
+/// [customAuth] is an optional callback to add additional client
+/// authentication headers or body parameters to a token request for advanced
+/// scenarios, such as when using a JWT Bearer token for client authentication
+/// per [RFC 7523](https://tools.ietf.org/html/rfc7523#section-2.2). When
+/// provided, it replaces the default `basicAuth` credentials integration in
+/// token requests.
 Future<Client> clientCredentialsGrant(
     Uri authorizationEndpoint, String? identifier, String? secret,
     {Iterable<String>? scopes,

pkgs/oauth2/lib/src/credentials.dart

@@ -208,6 +208,13 @@ class Credentials {
   /// You may request different scopes than the default by passing in
   /// [newScopes]. These must be a subset of [scopes].
   ///
+  /// [customAuth] is an optional callback to add additional client
+  /// authentication headers or body parameters to a token request for advanced
+  /// scenarios, such as when using a JWT Bearer token for client authentication
+  /// per [RFC 7523](https://tools.ietf.org/html/rfc7523#section-2.2). When
+  /// provided, it replaces the default `basicAuth` credentials integration in
+  /// token requests.
+  ///
   /// This throws an [ArgumentError] if [secret] is passed without [identifier],
   /// a [StateError] if these credentials can't be refreshed, an
   /// [AuthorizationException] if refreshing the credentials fails, or a

pkgs/oauth2/lib/src/discovery.dart

@@ -6,8 +6,18 @@ import 'dart:convert';
 
 import 'package:http/http.dart' as http;
 
+/// An exception thrown when OAuth 2.0 discovery fails.
+class DiscoveryException implements Exception {
+  final String message;
+
+  DiscoveryException(this.message);
+
+  @override
+  String toString() => message;
+}
+
 /// OAuth 2.0 Authorization Server Metadata (RFC 8414).
-class OAuthServerMetadata {
+final class OAuthServerMetadata {
   /// The authorization server's issuer identifier.
   final String issuer;
 
@@ -17,7 +27,8 @@ class OAuthServerMetadata {
   /// URL of the authorization server's token endpoint.
   final String tokenEndpoint;
 
-  /// URL of the authorization server's OAuth 2.0 Dynamic Client Registration endpoint.
+  /// URL of the authorization server's OAuth 2.0 Dynamic Client Registration
+  /// endpoint.
   final String? registrationEndpoint;
 
   /// JSON array containing a list of the OAuth 2.0 scope values that this
@@ -40,8 +51,8 @@ class OAuthServerMetadata {
   /// by this authorization server.
   final List<String>? codeChallengeMethodsSupported;
 
-  /// Boolean value specifying whether the authorization server supports multiple
-  /// issuers.
+  /// Boolean value specifying whether the authorization server supports
+  /// multiple issuers.
   final bool? clientIdMetadataDocumentSupported;
 
   const OAuthServerMetadata({
@@ -80,11 +91,12 @@ class OAuthServerMetadata {
 }
 
 /// OAuth 2.0 Protected Resource Metadata (RFC 9728).
-class OAuthProtectedResourceMetadata {
+final class OAuthProtectedResourceMetadata {
   /// A URI that identifies the protected resource.
   final String resource;
 
-  /// JSON array of authorization server identifiers that the protected resource trusts.
+  /// JSON array of authorization server identifiers that the protected resource
+  /// trusts.
   final List<String>? authorizationServers;
 
   /// JSON array of the scope values that the protected resource supports.
@@ -134,7 +146,7 @@ Future<OAuthServerMetadata?> discoverAuthorizationServerMetadata(
           if (response.statusCode >= 400 && response.statusCode < 500) {
             continue;
           }
-          throw StateError(
+          throw DiscoveryException(
             'HTTP ${response.statusCode} loading authorization server '
             'metadata from $endpoint',
           );
@@ -146,14 +158,14 @@ Future<OAuthServerMetadata?> discoverAuthorizationServerMetadata(
         final expectedIssuer = authorizationServerUrl.toString();
         if (metadata.issuer.replaceAll(RegExp(r'/$'), '') !=
             expectedIssuer.replaceAll(RegExp(r'/$'), '')) {
-          throw StateError(
+          throw DiscoveryException(
             'Issuer spoofing detected: metadata issuer "${metadata.issuer}" '
             'does not match expected "$expectedIssuer".',
           );
         }
         return metadata;
       } catch (e) {
-        if (e is StateError) rethrow;
+        if (e is DiscoveryException) rethrow;
         continue;
       }
     }
@@ -166,7 +178,8 @@ Future<OAuthServerMetadata?> discoverAuthorizationServerMetadata(
 /// Discovers RFC 9728 OAuth 2.0 Protected Resource Metadata.
 ///
 /// The returned [Future] completes with the metadata. It completes with a
-/// [StateError] if the metadata endpoint is not found (HTTP 404).
+/// [DiscoveryException] if the metadata endpoint is not found (HTTP 404) or
+/// returns another invalid response.
 Future<OAuthProtectedResourceMetadata> discoverProtectedResourceMetadata(
   Uri serverUrl, {
   Uri? resourceMetadataUrl,
@@ -189,13 +202,13 @@ Future<OAuthProtectedResourceMetadata> discoverProtectedResourceMetadata(
 
     final response = await client.get(url);
     if (response.statusCode == 404) {
-      throw StateError(
+      throw DiscoveryException(
         'Resource server does not implement OAuth 2.0 Protected Resource '
         'Metadata.',
       );
     }
     if (response.statusCode < 200 || response.statusCode >= 300) {
-      throw StateError(
+      throw DiscoveryException(
         'HTTP ${response.statusCode} loading protected resource metadata.',
       );
     }
@@ -206,7 +219,7 @@ Future<OAuthProtectedResourceMetadata> discoverProtectedResourceMetadata(
     final expectedResource = serverUrl.toString();
     if (metadata.resource.replaceAll(RegExp(r'/$'), '') !=
         expectedResource.replaceAll(RegExp(r'/$'), '')) {
-      throw StateError(
+      throw DiscoveryException(
         'Resource spoofing detected: metadata resource "${metadata.resource}" '
         'does not match expected "$expectedResource".',
       );

pkgs/oauth2/lib/src/registration.dart

@@ -16,14 +16,16 @@ final class OAuthClientMetadata {
   /// Array of redirection URI strings for use in redirect-based flows.
   final List<String> redirectUris;
 
-  /// String indicator of the requested authentication method for the token endpoint.
+  /// String indicator of the requested authentication method for the token
+  /// endpoint.
   final String? tokenEndpointAuthMethod;
 
-  /// Array of OAuth 2.0 grant type strings that the client can use at the token endpoint.
+  /// Array of OAuth 2.0 grant type strings that the client can use at the
+  /// token endpoint.
   final List<String>? grantTypes;
 
-  /// Array of the OAuth 2.0 response type strings that the client can use at the
-  /// authorization endpoint.
+  /// Array of the OAuth 2.0 response type strings that the client can use at
+  /// the authorization endpoint.
   final List<String>? responseTypes;
 
   /// Human-readable string name of the client to be presented to the end-user.
@@ -40,7 +42,8 @@ final class OAuthClientMetadata {
   /// software publisher used by registration endpoints.
   final String? softwareId;
 
-  /// A version identifier string for the client software identified by [softwareId].
+  /// A version identifier string for the client software identified by
+  /// [softwareId].
   final String? softwareVersion;
 
   const OAuthClientMetadata({
@@ -74,8 +77,9 @@ final class OAuthClientMetadata {
 /// OAuth 2.0 Client Information ([RFC 7591]).
 ///
 /// [RFC 7591]: https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1
-class OAuthClientInformation {
-  /// Opaque value used by the client to identify itself to the authorization server.
+final class OAuthClientInformation {
+  /// Opaque value used by the client to identify itself to the authorization
+  /// server.
   final String clientId;
 
   /// String value specifying the client secret.
@@ -91,8 +95,8 @@ class OAuthClientInformation {
   /// Given as seconds since epoch.
   final int? clientSecretExpiresAt;
 
-  /// String indicator of the authentication method that the authorization server
-  /// will accept from the client when using the token endpoint.
+  /// String indicator of the authentication method that the authorization
+  /// server will accept from the client when using the token endpoint.
   final String? tokenEndpointAuthMethod;
 
   const OAuthClientInformation({
@@ -116,7 +120,9 @@ class OAuthClientInformation {
 
 /// Performs RFC 7591 Dynamic Client Registration.
 ///
-/// Throws [AuthorizationException] if registration fails.
+/// Dynamic Client Registration allows OAuth 2.0 clients to register with an
+/// authorization server dynamically and obtain client credentials (such as
+/// a client ID and client secret) required to interact with the server.
 ///
 /// The returned [Future] completes with the client information. It will
 /// complete with an [AuthorizationException] if the request is rejected by the
@@ -162,8 +168,11 @@ Future<OAuthClientInformation> registerClient(
         var uri = uriString == null ? null : Uri.parse(uriString);
         throw AuthorizationException(body['error'] as String, description, uri);
       }
-      throw StateError(
-          'HTTP ${response.statusCode} registering client at $registrationUrl');
+      throw AuthorizationException(
+        'server_error',
+        'HTTP ${response.statusCode} registering client at $registrationUrl',
+        null,
+      );
     }
     return OAuthClientInformation.fromJson(
       jsonDecode(response.body) as Map<String, dynamic>,

pkgs/oauth2/test/discovery_test.dart

@@ -77,7 +77,7 @@ void main() {
       expect(metadata, isNotNull);
     });
 
-    test('throws StateError on issuer mismatch', () async {
+    test('throws DiscoveryException on issuer mismatch', () async {
       var client = ExpectClient()
         ..expectRequest((request) {
           return Future.value(http.Response(
@@ -95,10 +95,10 @@ void main() {
           discoverAuthorizationServerMetadata(
               Uri.parse('https://server.example.com'),
               httpClient: client),
-          throwsStateError);
+          throwsA(isA<DiscoveryException>()));
     });
 
-    test('throws StateError on unexpected error', () async {
+    test('throws DiscoveryException on unexpected error', () async {
       var client = ExpectClient()
         ..expectRequest((request) {
           return Future.value(http.Response('', 500));
@@ -108,7 +108,7 @@ void main() {
           discoverAuthorizationServerMetadata(
               Uri.parse('https://server.example.com'),
               httpClient: client),
-          throwsStateError);
+          throwsA(isA<DiscoveryException>()));
     });
 
     test('throws ArgumentError on insecure URL', () async {
@@ -172,7 +172,7 @@ void main() {
       expect(metadata.resource, equals('https://resource.example.com/v1/api'));
     });
 
-    test('throws StateError on resource mismatch', () async {
+    test('throws DiscoveryException on resource mismatch', () async {
       var client = ExpectClient()
         ..expectRequest((request) {
           return Future.value(http.Response(
@@ -188,10 +188,10 @@ void main() {
           discoverProtectedResourceMetadata(
               Uri.parse('https://resource.example.com'),
               httpClient: client),
-          throwsStateError);
+          throwsA(isA<DiscoveryException>()));
     });
 
-    test('throws StateError for 404', () async {
+    test('throws DiscoveryException for 404', () async {
       var client = ExpectClient()
         ..expectRequest((request) {
           return Future.value(http.Response('', 404));
@@ -201,7 +201,7 @@ void main() {
           discoverProtectedResourceMetadata(
               Uri.parse('https://resource.example.com'),
               httpClient: client),
-          throwsStateError);
+          throwsA(isA<DiscoveryException>()));
     });
 
     test('throws ArgumentError on insecure URL', () async {

pkgs/oauth2/test/registration_test.dart

@@ -101,7 +101,8 @@ void main() {
               (e) => e.error, 'error', equals('invalid_redirect_uri'))));
     });
 
-    test('throws StateError on unexpected status code without JSON', () async {
+    test('throws AuthorizationException on unexpected status code without JSON',
+        () async {
       var client = ExpectClient()
         ..expectRequest((request) {
           return Future.value(http.Response('Internal Server Error', 500));
@@ -113,7 +114,7 @@ void main() {
       expect(
           registerClient(Uri.parse('https://server.example.com'), metadata,
               httpClient: client),
-          throwsStateError);
+          throwsA(isA<AuthorizationException>()));
     });
 
     test('throws ArgumentError on insecure authorizationServerUrl', () async {