feat(dart): add get access token by refresh token method (#20)

Author: simeng-li

lib/logto_client.dart

@@ -23,11 +23,19 @@ class LogtoClient {
 
   static late TokenStorage _tokenStorage;
 
+  /// Logto automatically enables refresh token's rotation
+  ///
+  /// Simultaneous access token request may be problematic
+  /// Use a request cache map to avoid the race condition
+  static final Map<String, Future<AccessToken?>> _accessTokenRequestCache = {};
+
   /// Custom [http.Client].
   ///
   /// Note that you will have to call `close()` yourself when passing a [http.Client] instance.
   late final http.Client? _httpClient;
 
+  bool _loading = false;
+
   bool get loading => _loading;
 
   OidcProviderConfig? _oidcConfig;
@@ -66,15 +74,101 @@ class LogtoClient {
     return _oidcConfig!;
   }
 
-  Future<AccessToken?> getAccessToken(
-      {List<String>? scopes, String? resource}) async {
-    return await _tokenStorage.getAccessToken(resource, scopes);
+  Future<AccessToken?> getAccessToken({String? resource}) async {
+    final accessToken = await _tokenStorage.getAccessToken(resource);
+
+    if (accessToken != null) {
+      return accessToken;
+    }
+
+    // If no valid access token is found in storage, use refresh token to claim a new one
+    final cacheKey = TokenStorage.buildAccessTokenKey(resource);
+
+    // Reuse the cached request if is exist
+    if (_accessTokenRequestCache[cacheKey] != null) {
+      return _accessTokenRequestCache[cacheKey];
+    }
+
+    // Create new token request and add it to cache
+    final newTokenRequest = _getAccessTokenByRefreshToken(resource);
+    _accessTokenRequestCache[cacheKey] = newTokenRequest;
+
+    final token = await newTokenRequest;
+    // Clear the cache after response
+    _accessTokenRequestCache.remove(cacheKey);
+
+    return token;
   }
 
-  bool _loading = false;
+  // RBAC are not supported currently, no resource specific scopes are needed
+  Future<AccessToken?> _getAccessTokenByRefreshToken(String? resource) async {
+    final refreshToken = await _tokenStorage.refreshToken;
+
+    if (refreshToken == null) {
+      throw LogtoAuthException(
+          LogtoAuthExceptions.authenticationError, 'not_authenticated');
+    }
+
+    final httpClient = _httpClient ?? http.Client();
+
+    try {
+      final oidcConfig = await _getOidcConfig(httpClient);
+
+      final response = await logto_core.fetchTokenByRefreshToken(
+          httpClient: httpClient,
+          tokenEndPoint: oidcConfig.tokenEndpoint,
+          clientId: config.appId,
+          refreshToken: refreshToken,
+          resource: resource,
+          // RBAC are not supported currently, no resource specific scopes are needed
+          scopes: resource != null ? ['offline_access'] : null);
+
+      final scopes = response.scope.split(' ');
+
+      await _tokenStorage.setAccessToken(response.accessToken,
+          expiresIn: response.expiresIn, resource: resource, scopes: scopes);
+
+      // renew refresh token
+      await _tokenStorage.setRefreshToken(response.refreshToken);
+
+      // verify and store id_token if not null
+      if (response.idToken != null) {
+        final idToken = IdToken.unverified(response.idToken!);
+        await _verifyIdToken(idToken, oidcConfig);
+        await _tokenStorage.setIdToken(idToken);
+      }
+
+      return await _tokenStorage.getAccessToken(resource, scopes);
+    } finally {
+      if (_httpClient == null) httpClient.close();
+    }
+  }
+
+  Future<void> _verifyIdToken(
+      IdToken idToken, OidcProviderConfig oidcConfig) async {
+    final keyStore = JsonWebKeyStore()
+      ..addKeySetUrl(Uri.parse(oidcConfig.jwksUri));
+
+    if (!await idToken.verify(keyStore)) {
+      throw LogtoAuthException(
+          LogtoAuthExceptions.idTokenValidationError, 'invalid jws signature');
+    }
+
+    final violations = idToken.claims
+        .validate(issuer: Uri.parse(oidcConfig.issuer), clientId: config.appId);
+
+    if (violations.isNotEmpty) {
+      throw LogtoAuthException(
+          LogtoAuthExceptions.idTokenValidationError, '$violations');
+    }
+  }
 
   Future<void> signIn(String redirectUri) async {
-    if (_loading) throw Exception('Already signing in...');
+    if (_loading) {
+      throw LogtoAuthException(
+          LogtoAuthExceptions.isLoadingError, 'Already signing in...');
+    }
+
     final httpClient = _httpClient ?? http.Client();
 
     try {
@@ -130,21 +224,7 @@ class LogtoClient {
 
     final idToken = IdToken.unverified(tokenResponse.idToken);
 
-    final keyStore = JsonWebKeyStore()
-      ..addKeySetUrl(Uri.parse(oidcConfig.jwksUri));
-
-    if (!await idToken.verify(keyStore)) {
-      throw LogtoAuthException(
-          LogtoAuthExceptions.idTokenValidationError, 'invalid jws signature');
-    }
-
-    final violations = idToken.claims
-        .validate(issuer: Uri.parse(oidcConfig.issuer), clientId: config.appId);
-
-    if (violations.isNotEmpty) {
-      throw LogtoAuthException(
-          LogtoAuthExceptions.idTokenValidationError, '$violations');
-    }
+    await _verifyIdToken(idToken, oidcConfig);
 
     await _tokenStorage.save(
         idToken: idToken,

lib/logto_core.dart

@@ -124,7 +124,7 @@ Uri generateSignInUri(
   };
 
   if (resources != null && resources.isNotEmpty) {
-    queryParameters.addAll({'resources': resources});
+    queryParameters.addAll({'resource': resources});
   }
 
   return addQueryParameters(signInUri, queryParameters);

lib/src/exceptions/logto_auth_exceptions.dart

@@ -1,7 +1,8 @@
 enum LogtoAuthExceptions {
   callbackUriValidationError,
   idTokenValidationError,
-  authenticationError
+  authenticationError,
+  isLoadingError
 }
 
 class LogtoAuthException implements Exception {

lib/src/modules/token_storage.dart

@@ -53,16 +53,15 @@ class TokenStorage {
   }
 
   Future<void> setIdToken(IdToken? idToken) async {
-    _idToken = idToken;
-
     await _storage.write(
       key: _TokenStorageKeys.idTokenKey,
       value: _encodeIdToken(idToken),
     );
+
+    _idToken = idToken;
   }
 
-  static String _buildAccessTokenKey(String? resource,
-          [List<String>? scopes]) =>
+  static String buildAccessTokenKey(String? resource, [List<String>? scopes]) =>
       "${_encodeScopes(scopes)}@${resource ?? ''}";
 
   Future<Map<String, AccessToken>?> _getAccessTokenMapFromStorage() async {
@@ -85,7 +84,7 @@ class TokenStorage {
 
   Future<AccessToken?> getAccessToken(
       [String? resource, List<String>? scopes]) async {
-    final key = _buildAccessTokenKey(resource, scopes);
+    final key = buildAccessTokenKey(resource, scopes);
 
     _accessTokenMap ??= await _getAccessTokenMapFromStorage();
 
@@ -130,17 +129,20 @@ class TokenStorage {
 
   Future<void> setAccessToken(String accessToken,
       {String? resource, List<String>? scopes, required int expiresIn}) async {
-    final key = _buildAccessTokenKey(resource, scopes);
+    final key = buildAccessTokenKey(resource, scopes);
+
+    // load current accessTokenMap
+    final currentAccessTokenMap =
+        _accessTokenMap ?? await _getAccessTokenMapFromStorage() ?? {};
 
     final Map<String, AccessToken> newAccessTokenMap =
-        Map.from(_accessTokenMap ?? {});
+        Map.from(currentAccessTokenMap);
 
     newAccessTokenMap.addAll({
       key: AccessToken(
           token: accessToken,
           scope: _encodeScopes(scopes),
-
-          /// convert the expireAt to standard utc time
+          // convert the expireAt to standard utc time
           expiresAt: DateTime.now().add(Duration(seconds: expiresIn)).toUtc())
     });
 
@@ -160,12 +162,12 @@ class TokenStorage {
   }
 
   Future<void> setRefreshToken(String? refreshToken) async {
-    _refreshToken = refreshToken;
-
     await _storage.write(
       key: _TokenStorageKeys.refreshTokenKey,
       value: refreshToken,
     );
+
+    _refreshToken = refreshToken;
   }
 
   /// Initial token response saving

test/logto_core_test.dart

@@ -30,13 +30,16 @@ void main() {
         clientId: clientId,
         redirectUri: redirectUri,
         codeChallenge: codeChallenge,
+        resources: ['http://foo.api'],
         state: state);
 
     expect(signInUri.scheme, 'http');
     expect(signInUri.host, 'foo.com');
     expect(signInUri.queryParameters, containsPair('client_id', clientId));
     expect(signInUri.queryParameters,
         containsPair('redirect_uri', 'http://foo.app.io'));
+    expect(
+        signInUri.queryParameters, containsPair('resource', 'http://foo.api'));
     expect(signInUri.queryParameters,
         containsPair('code_challenge', codeChallenge));
     expect(signInUri.queryParameters,