Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Flutter plugin

Secure resource access

search

Please Note:

Secure resource access

There are three types of authentication tokens your app can use to securely access resources like account information, transactions, and so on from a back-end or resource server. A user or device needs to be authenticated before a resource can be fetched with the corresponding authentication token. Different resources might require using different methods for authentication. The following authentication token types can be used:

  • User authentication (default): Requires the user to be authenticated, meaning to be authenticated with an authenticator (PIN or fingerprint for example).
  • Implicit authentication: Requires the user to be implicitly authenticated, meaning the user has registered with the device before. This does not require interaction with an authenticator like PIN or fingerprint.
  • Anonymous authentication: Requires the device to be registered and authenticated with the IDAAS-core, but no user has to be authenticated in any way.

Additionally, we support unauthenticated resource requests, which do not require an access token but instead only apply certificate pinning.

The Flutter Plugin exposes the resourceRequest method to perform these different types of resource requests. The plugin ensures the confidentiality and authenticity of the payload. The application itself is responsible for the structure or processing of the payload.

Enabling additional resource base URLs for requests

When configuring the IDAAS-core, you can set a resource base URL that will be used as an allow-list for making resource requests. However, it is possible to allow additional resource URLs as long as the certificates for these URLs are added within the IDAAS-core configuration.

To enable this functionality, an additional step is required where the base of the resource URLs are added during the app initialization when calling the startApplication function.

Configure resource request

The request can be configured by passing a RequestDetails object to the function. This will allow you to set the:

  • Url Path: The Path can be relative to the resource base URL defined in the IDAAS-core configuration or be an absolute URL.
  • Type of http request (GET, POST, DELETE, PUT)
  • Optional headers
  • Optional body
  • Optional multipartData: a list of MultipartData parts used to send a multipart/form-data payload (see Using multipart/form-data requests).

Resource request response

The request will then respond with a RequestResponse object.

Using fetch with user authentication

To successfully request a resource for a specific user, the client credentials must be valid and the user must have a valid access token. In other words, the user must be logged in before a resource call can be made on their behalf. This type of resource request should be used to fetch sensitive data that requires user authentication, like account details and transaction history. After user authentication a resource can be fetched as follows:

var requestDetails = RequestDetails(path: "resource_path", method: HttpRequestMethod.get)

var response = await Onegini.instance.resourcesMethods.resourceRequest(ResourceRequestType.authenticated, requestDetails);

// or you can call it directly
var response = await Onegini.instance.resourcesMethods.resourceRequestAuthenticated(requestDetails);

Using fetch with implicit authentication

Before fetching an implicit resource, the user must first be authenticated implicitly.

var requestDetails = RequestDetails(path: "resource_path", method: HttpRequestMethod.get)

var response = await Onegini.instance.resourcesMethods.resourceRequest(ResourceRequestType.implicit, requestDetails);

// or you can call it directly
var response = await Onegini.instance.resourcesMethods.resourceRequestImplicit(requestDetails);

Using fetch with anonymous authentication

A device can use its OAuth credentials to authenticate itself with the IDAAS-core and obtain an access token. An anonymous resource call can be used in cases where a user does not need to be logged in or even registered in order to use certain functionality, or access some resource.

var requestDetails = RequestDetails(path: "resource_path", method: HttpRequestMethod.get)

var response = await Onegini.instance.resourcesMethods.resourceRequest(ResourceRequestType.anonymous, requestDetails);

// or you can call it directly
var response = await Onegini.instance.resourcesMethods.resourceRequestAnonymous(requestDetails);

Using fetch unauthenticated

Unauthenticated resource requests that will only use certificate pinning can be performed through:

var requestDetails = RequestDetails(path: "resource_path", method: HttpRequestMethod.get)

var response = await Onegini.instance.resourcesMethods.resourceRequest(ResourceRequestType.unauthenticated, requestDetails);

// or you can call it directly
var response = await Onegini.instance.resourcesMethods.resourceRequestUnauthenticated(requestDetails);

Using multipart/form-data requests

Since version 4.0.0, the Flutter Plugin supports multipart/form-data resource requests. This allows you to upload text fields together with binary payloads (such as files or images) through any of the supported authentication types.

A multipart request is configured by populating the multipartData field on RequestDetails with a list of MultipartData parts. When multipartData is provided, the SDK automatically sets the Content-Type of the request to multipart/form-data with the appropriate boundary; any Content-Type value supplied through headers or body will be ignored for the request envelope.

The MultipartData class

Each MultipartData entry represents a single part of the multipart payload. Provide either value (for text fields) or data (for binary/file parts).

Field Type Description
name String? The name of the form field this part belongs to.
value String? The text value for the field. Use this for plain text form parts.
data Uint8List? The raw binary content for the part. Use this for file or binary uploads.
fileName String? The file name associated with a binary part. Recommended when uploading a file.
contentType String? The MIME type of the part (e.g., image/png, application/pdf). Required when data is provided.

Example: authenticated multipart upload

The following example uploads two text fields and a binary file as an authenticated resource request:

ByteData byteData = await rootBundle.load('assets/logo_onegini.png');
Uint8List fileBytes = byteData.buffer.asUint8List();

var requestDetails = RequestDetails(
  path: "file-upload",
  method: HttpRequestMethod.post,
  multipartData: [
    MultipartData(name: "name", value: "testfile"),
    MultipartData(name: "email", value: "test@example.com"),
    MultipartData(
      name: "attachments",
      data: fileBytes,
      fileName: "logo_onegini.png",
      contentType: "image/png",
    ),
  ],
);

var response = await Onegini.instance.resourcesMethods.resourceRequestAuthenticated(requestDetails);

On this page