Easy way to query oidc protected rest api using access token?

[friesoft]

Hi,

I'm using this library to authenticate my flutter app against my keycloak instance (https://sso.domain.com) and want to call various rest apis afterwards which are all protected by the same keycloak instance.
I've succeeded in authenticating against sso.domain.com and have the user claim and access token available.
As a base I used the provided example app which worked with minimal adaptations.

My guess would have been that there would be an easy way of using this library for: "make a get request using the currently authenticated user" but I can't seem to find any.

I then tried to make a http get request using the obtained access token like this but this only redirects me to the keycloak login page:

    final user = app_state.cachedAuthedUser.of(context);
    var token = user?.token.accessToken ?? ""; // I verified this access token is set
    final response = await http.get(Uri.parse('https://restbackend.domain.com/applications/v1'),
      headers: {
        HttpHeaders.authorizationHeader: "Bearer " + token,
      });

Any pointers would be appreciated. Thanks!

[ahmednfwela]

as you guessed, user.token.accessToken gives you the raw access token, but it's up to you how you use it.

I have no idea how restbackend.domain.com is configured, and how it accepts auth parameters, but it should be as easy as setting
'Authorization': 'Bearer ' + token as you did.

the reason we don't provide an easy way for "make a get request using the currently authenticated user"
is because the user might want to use another networking library (e.g. dio).

Internally we even use the access token in the /userinfo request to validate that it actually works
see:

oidc/packages/oidc/lib/src/managers/user_manager.dart

Line 738 in 0d5782d

accessToken: actualUser.token.accessToken!,

using package:http to send the request: https://github.com/Bdaya-Dev/oidc/blob/main/packages/oidc_core/lib/src/endpoints/facade.dart#L416-L431

[friesoft]

Thank you for the fast answer!
Maybe adding a small example/docs on best practices using e.g. the package:http library would be a good idea for newbies like me.

At least I know now that I'm on the right track.. thanks!

[ahmednfwela]

I agree that adding an entry for it on the main package page sounds like a good idea, thanks for the suggestion!

[ahmednfwela]

done in #27