The OpenID Connect RP-Initiated Logout specification defines the state parameter as OPTIONAL. However, the current Android implementation of flutter_appauth makes it effectively mandatory due to the underlying behavior of the plugin's bridge logic with the AppAuth-Android and iOS.
The Problem:
When calling endSession with an IdP that does not support/return the state parameter, the logout flow fails with a exception:
PlatformException(end_session_failed, Failed to end session: [error: null, description: Response state param did not match request state] ...)
Technical Root Cause:
- In the AppAuth-Android SDK, the EndSessionRequest.Builder constructor automatically generates a random, secure state string by default.
- In the
flutter_appauth Android plugin, the state from Dart is only passed to the native builder if it is NOT null.
- Consequently, passing state
null from Dart fails to clear the pre-generated state in the native builder. The request is sent with a state, the server returns without one, and AppAuth-Android throws an exception.
Proposed Change:
Align the Android implementation with the OIDC specification by allowing the state to be explicitly set to null on the native code.
The flutter_appauth logic should be updated to ensure that if null (or something equivalent, maybe a empty string '' or having an additional boolean flag) is passed from Dart, the native builder.setState(null) is called to override the default generated state.
NOTE: The AppAuth-Android SDK explicitly added support for a nullable state (see Issue #615) to support IdP providers that do not echo the state back in the logout redirect. This change would expose that native capability to Flutter developers.
The OpenID Connect RP-Initiated Logout specification defines the state parameter as OPTIONAL. However, the current Android implementation of
flutter_appauthmakes it effectively mandatory due to the underlying behavior of the plugin's bridge logic with the AppAuth-Android and iOS.The Problem:
When calling
endSessionwith an IdP that does not support/return the state parameter, the logout flow fails with a exception:Technical Root Cause:
flutter_appauthAndroid plugin, thestatefrom Dart is only passed to the native builder if it is NOT null.nullfrom Dart fails to clear the pre-generated state in the native builder. The request is sent with a state, the server returns without one, and AppAuth-Android throws an exception.Proposed Change:
Align the Android implementation with the OIDC specification by allowing the state to be explicitly set to null on the native code.
The
flutter_appauthlogic should be updated to ensure that ifnull(or something equivalent, maybe a empty string '' or having an additional boolean flag) is passed from Dart, the native builder.setState(null) is called to override the default generated state.NOTE: The AppAuth-Android SDK explicitly added support for a nullable
state(see Issue #615) to support IdP providers that do not echo the state back in the logout redirect. This change would expose that native capability to Flutter developers.