DEV Community: sabbir alam The latest articles on DEV Community by sabbir alam (@sabbir_alam_aa9e289fbd684). https://dev.to/sabbir_alam_aa9e289fbd684 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2173354%2F21f0c15a-ab34-45e7-bc59-d232733d95b6.jpg DEV Community: sabbir alam https://dev.to/sabbir_alam_aa9e289fbd684 en Agentic Ai - Multi Agent development using Google ADK sabbir alam Tue, 04 Nov 2025 07:30:38 +0000 https://dev.to/sabbir_alam_aa9e289fbd684/agentic-ai-multi-agent-development-using-google-adk-4m9j https://dev.to/sabbir_alam_aa9e289fbd684/agentic-ai-multi-agent-development-using-google-adk-4m9j <h2> Building a Multi-Agent System Using Google’s Agent Development Kit </h2> <p>In modern AI system design, we’re moving away from monolithic, single-purpose models and toward <strong>modular, multi-agent architectures</strong> — systems composed of specialized components that can reason, collaborate, and delegate.</p> <p>Recently, I explored this concept hands-on using <strong>Google’s latest Agent Development Kit</strong>, and built a multi-agent architecture consisting of four agents — one <strong>Parent Agent</strong> and three <strong>specialized sub-agents</strong>:</p> <ul> <li><strong>Recommendation Agent</strong></li> <li><strong>Search Agent</strong></li> <li><strong>Completion Agent</strong></li> </ul> <p>Each agent is equipped with its own tools for <strong>retrieving and updating data</strong> in a connected database.</p> <p>In this post, I’ll walk through the concept, architecture, and data flow — using the analogy of an <em>intelligent control tower system</em> to explain how this architecture functions in real-world scenarios.</p> <h2> The Analogy: An Intelligent Control Tower </h2> <p>Think of the <strong>Parent Agent</strong> as the <strong>control tower</strong> of an airport.<br><br> Every incoming request is like an aircraft asking for landing instructions.</p> <p>The tower (Parent Agent) doesn’t fly the planes itself — it <strong>analyzes the situation</strong>, determines the <strong>type of aircraft</strong>, and assigns it to the appropriate <strong>runway or terminal</strong> (sub-agent).</p> <p>If an unexpected event occurs — say, the assigned runway can’t handle that aircraft — the control tower steps back in, reassesses, and redirects it appropriately.</p> <p>This analogy reflects how modular agent orchestration enables adaptive and context-aware decision-making.</p> <h2> Architecture Overview </h2> <p>The system is composed of four main agents:</p> <h3> Parent Agent — The Orchestrator </h3> <ul> <li>Acts as the <strong>entry point</strong> for all incoming user requests.</li> <li>Performs <strong>intent classification</strong> and <strong>task routing</strong>.</li> <li>Delegates work to specialized sub-agents.</li> <li>Handles <strong>re-delegation</strong> or <strong>fallback</strong> responses when needed.</li> </ul> <p>The Parent Agent’s logic acts like a <strong>router combined with a context analyzer</strong>, determining which sub-agent should take ownership of the request.</p> <h3> Recommendation Agent — Contextual Insights </h3> <p>This agent specializes in generating <strong>context-based recommendations</strong> — such as suggesting items, actions, or next steps.</p> <p>It uses internal reasoning plus a custom-built tool that retrieves relevant data from the database to make informed suggestions.</p> <p><strong>Example use cases:</strong></p> <ul> <li>“Show me trending items.”</li> <li>“What are the top-rated restaurants nearby?”</li> </ul> <h3> Search Agent — Information Retrieval </h3> <p>This agent functions as a <strong>retrieval pipeline</strong>, focusing purely on <strong>fetching structured data</strong> with high precision, using database-integrated search tools.</p> <p><strong>Example queries:</strong></p> <ul> <li>“Find restaurant details by city.”</li> <li>“Get all entries with a 5-star rating.”</li> </ul> <h3> Completion Agent — Task Executor </h3> <p>The <strong>Completion Agent</strong> is responsible for executing <strong>create</strong>, <strong>update</strong>, and <strong>completion-based tasks</strong>.</p> <p>Whenever a query involves action rather than retrieval (like inserting or updating data), the Parent Agent delegates it here.</p> <p><strong>Example tasks:</strong></p> <ul> <li>“Add this restaurant to the database.”</li> <li>“Update the dish price.”</li> </ul> <h2> Workflow: Intelligent Delegation </h2> <p>Here’s how a request moves through the system:</p> <ol> <li><p><strong>Request Entry:</strong><br><br> Every request enters via the <strong>Parent Agent</strong>.</p></li> <li><p><strong>Intent Classification:</strong><br><br> The Parent Agent analyzes the intent using reasoning or classification logic.</p></li> <li><p><strong>Delegation:</strong><br><br> It assigns the task to the appropriate sub-agent — Recommendation, Search, or Completion.</p></li> <li><p><strong>Execution:</strong><br><br> The selected sub-agent performs the task using its specific toolset.</p></li> <li><p><strong>Re-routing:</strong><br><br> If a sub-agent encounters a query outside its scope, it escalates the request back to the Parent Agent.</p></li> <li><p><strong>Fallback:</strong><br><br> If no suitable agent exists, the Parent Agent provides a default response.</p></li> </ol> <p>This process ensures <strong>autonomy, modularity, and fault tolerance</strong>, enabling the system to adapt dynamically based on the context of the request.</p> <h2> Tooling Layer: Data Access and Actions </h2> <p>Each sub-agent has access to <strong>custom tools</strong> that interact with the backend database.</p> <p>Common operations include:</p> <ul> <li>Data retrieval (<code>get</code>, <code>findByField</code>, etc.)</li> <li>Data modification (<code>insert</code>, <code>update</code>, <code>delete</code>)</li> <li>Validation and error handling</li> </ul> <p>These tools enable agents to perform <strong>real operations</strong>, not just generate text.</p> <p>For example:</p> <blockquote> <p>“Add a new restaurant to the list.”</p> </blockquote> <p>The Parent Agent identifies it as a task completion request → delegates to the <strong>Completion Agent</strong> → which triggers the <strong>database insertion tool</strong> → and returns a confirmation message.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpoi6z1j1gulmvxg0qesk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpoi6z1j1gulmvxg0qesk.png" alt="Flow Chart" width="800" height="658"></a></p> <h2> Why Multi-Agent Design? </h2> <p>The multi-agent approach offers several engineering benefits:</p> <p>✅ <strong>Modularity</strong> — Each agent focuses on a specific domain, simplifying debugging and scaling.<br><br> ✅ <strong>Reusability</strong> — Agents can be reused or extended for different applications.<br><br> ✅ <strong>Scalability</strong> — New agents can be integrated without disturbing existing logic.<br><br> ✅ <strong>Context Isolation</strong> — Each agent handles its domain-specific tasks, improving accuracy and reducing confusion.</p> <p>Compared to a single monolithic agent, this design allows for <strong>better adaptability, maintainability, and distributed reasoning</strong>.</p> <h2> Takeaways </h2> <p>Implementing this architecture with <strong>Google’s Agent Development Kit</strong> highlighted how <strong>structured delegation</strong> transforms conversational AI into a <strong>cooperative, context-aware framework</strong>.</p> <p>Instead of one model doing everything, we now design <strong>ecosystems of intelligent agents</strong> that collaborate effectively — much like distributed microservices in a backend architecture.</p> <p>The result is a system that’s:</p> <ul> <li>Autonomous </li> <li>Modular </li> <li>Scalable </li> <li>Context-aware </li> </ul> <h2> Final Thoughts </h2> <p>As AI continues to evolve, the distinction between “chatbots” and “autonomous systems” is fading.<br><br> The true challenge now lies in <strong>orchestrating intelligence</strong> — designing agents that can reason, delegate, and cooperate efficiently.</p> <p>By combining modular architectures with tools like <strong>Google’s Agent Development Kit</strong>, we’re moving toward the era of <strong>composable AI systems</strong> — where intelligence is not centralized but <strong>distributed, dynamic, and domain-aware</strong>.</p> <p><strong>#AI #MultiAgentSystems #AgentDevelopmentKit #GoogleDevelopers #LLMs #SoftwareArchitecture #AIEngineering #Automation #IntelligentSystems</strong></p> agents google architecture ai How I Integrated Google Sign-In with Keycloak Token Exchange in Flutter — Step-by-Step 🚀 sabbir alam Sat, 09 Aug 2025 23:24:11 +0000 https://dev.to/sabbir_alam_aa9e289fbd684/how-i-integrated-google-sign-in-with-keycloak-token-exchange-in-flutter-step-by-step-193l https://dev.to/sabbir_alam_aa9e289fbd684/how-i-integrated-google-sign-in-with-keycloak-token-exchange-in-flutter-step-by-step-193l <p>Hey Dev Community! 👋</p> <p>I recently built a Flutter app that uses Google Sign-In for authentication and then exchanges the Google access token for a Keycloak token to secure backend APIs.</p> <p>I ran into some challenges during the token exchange process, so here’s a walkthrough of how I solved it — plus a snippet of my Flutter Google Sign-In code!</p> <p>The Challenge 🐞<br> When I first tried exchanging the Google access token for a Keycloak token, Keycloak kept rejecting the token with errors like:<br> <code>TOKEN_EXCHANGE_ERROR: subject_token validation failure</code><br> and <br> <code>invalid_request: Parameter 'subject_issuer' is not supported for standard token exchange</code></p> <p><strong>before any configuration a very important step is to start the keyclock server correctly</strong> <br> <code>kc.bat start-dev --hostname=&lt;your-host-name&gt; --features="preview,token-exchange,admin-fine-grained-authz:v1"</code></p> <p>rest all the configuration remains the same <br> First you need to create google OAuth Credentials</p> <h1> How to Create Google OAuth Credentials (Client ID &amp; Secret) </h1> <h2> Step 1: Go to Google Cloud Console </h2> <ul> <li>Open your browser and visit: <a href="https://console.cloud.google.com/apis/credentials" rel="noopener noreferrer">https://console.cloud.google.com/apis/credentials</a> </li> <li>Sign in with your Google account.</li> </ul> <h2> Step 2: Create or Select a Project </h2> <ul> <li>Select an existing project from the top dropdown, <strong>or</strong> </li> <li>Click <strong>New Project</strong>, enter a project name, and create it.</li> </ul> <h2> Step 3: Enable the OAuth Consent Screen </h2> <ol> <li>In the left sidebar, click <strong>OAuth consent screen</strong>.</li> <li>Choose <strong>External</strong> (for apps used by any Google user) or <strong>Internal</strong> (for G Suite users only).</li> <li>Click <strong>Create</strong>.</li> <li>Fill out the required fields: <ul> <li>App name </li> <li>User support email </li> <li>Developer contact email </li> </ul> </li> <li>Save and continue through scopes and test users (default settings usually work).</li> <li>Click <strong>Save and Continue</strong> until done.</li> </ol> <h2> Step 4: Create OAuth 2.0 Credentials </h2> <ol> <li>Go to <strong>Credentials</strong> on the left menu.</li> <li>Click <strong>Create Credentials</strong> &gt; <strong>OAuth client ID</strong>.</li> <li>Select <strong>Application type</strong>: <ul> <li> <strong>Web application</strong> (if your app uses redirects or backend) </li> <li> <strong>Other</strong> (for standalone apps like Flutter) </li> </ul> </li> <li>Enter a name for the client (e.g., "Flutter App Client").</li> </ol> <h2> Step 5: Configure Authorized Redirect URIs (for Web Application) </h2> <ul> <li>If you chose <strong>Web application</strong>, add the redirect URI where Google will send users after authentication. </li> </ul> <h2> - For Keycloak, this is usually: <code>https://&lt;your-keycloak-domain&gt;/realms/&lt;realm-name&gt;/broker/google/endpoint</code> </h2> <h2> Step 6: Save and Get Your Client ID and Secret </h2> <ul> <li>Click <strong>Create</strong>.</li> <li>Copy the <strong>Client ID</strong> and <strong>Client Secret</strong> displayed.</li> <li>Keep them safe to configure in Keycloak.</li> </ul> <h1> Summary </h1> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Step</th> <th>Action</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Go to Google Cloud Console</td> </tr> <tr> <td>2</td> <td>Create/select a project</td> </tr> <tr> <td>3</td> <td>Configure OAuth consent screen</td> </tr> <tr> <td>4</td> <td>Create OAuth client credentials</td> </tr> <tr> <td>5</td> <td>Set redirect URIs if needed</td> </tr> <tr> <td>6</td> <td>Save and copy Client ID &amp; Secret</td> </tr> </tbody> </table></div> <h2> Part 2: Configure Google as Identity Provider in Keycloak </h2> <h3> Step 1: Login to Keycloak Admin Console </h3> <ul> <li>Open Keycloak Admin UI and select your realm.</li> </ul> <h2> Part 2: Configure Google Identity Provider in Keycloak </h2> <h3> Login to Keycloak Admin Console and Open Your Realm </h3> <ul> <li>Open the Keycloak Admin UI.</li> <li>Select your realm.</li> </ul> <h3> Add Google as an Identity Provider </h3> <ol> <li>Go to <strong>Identity Providers</strong> in the sidebar.</li> <li>Click <strong>Add provider</strong> and select <strong>Google</strong>.</li> <li>Enter your <strong>Client ID</strong> and <strong>Client Secret</strong> from Google.</li> <li>Under <strong>Advanced Settings</strong>, enable <strong>Store Tokens</strong>.</li> <li>Click <strong>Save</strong>.</li> </ol> <h3> Configure Your Client (<code>flutter-app</code>) for Token Exchange </h3> <ol> <li>Go to <strong>Clients</strong> and select your client (<code>flutter-app</code>).</li> <li>Enable the following settings: <ul> <li><strong>Standard Flow</strong></li> <li><strong>Direct Access Grants</strong></li> <li><strong>Client Authentication</strong></li> <li><strong>Authorization</strong></li> </ul> </li> <li>Check <strong>Service Account Roles</strong>.</li> <li>Click <strong>Save</strong>.</li> </ol> <h3> Enable and Configure Permissions (Crucial Step!) </h3> <blockquote> <p><strong>⚠️ This is the crucial part of the whole process!</strong> </p> <ul> <li>Under <strong>Permissions</strong> </li> <li> <strong>If Permissions tab is not visible, start Keycloak with the command:</strong> </li> </ul> <pre class="highlight shell"><code> kc.bat start-dev <span class="nt">--hostname</span><span class="o">=</span>&lt;your-host-name&gt; <span class="nt">--features</span><span class="o">=</span><span class="s2">"preview,token-exchange,admin-fine-grained-authz:v1"</span> </code></pre> </blockquote> <ol> <li>Go to the <strong>Permissions</strong> tab inside your client settings.</li> <li>Enable <strong>Permissions Enabled</strong>.</li> <li>Click on <strong>token-exchange</strong> permission.</li> <li>Click <strong>Create Client Policy</strong>: <ul> <li>Name the policy.</li> <li>Select the client (<code>flutter-app</code>).</li> <li>Set decision to <strong>Positive</strong>.</li> <li>Click <strong>Save</strong>.</li> </ul> </li> <li>Go back to the <strong>token-exchange</strong> permission, select the policy you just created, and save.</li> </ol> <h3> Configure Permissions for the Google Identity Provider </h3> <ol> <li>Go to the <strong>Google Identity Provider</strong> you added.</li> <li>Under <strong>Permissions</strong>, enable <strong>Permissions Enabled</strong>.</li> <li>Click <strong>token-exchange</strong>.</li> <li>Select the same policy you created for the client.</li> <li>Click <strong>Save</strong>.</li> </ol> <h2> Part 3: Token Exchange Request </h2> <p>Make this request to exchange a Google access token for a Keycloak token:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">POST https://&lt;keycloak-server&gt;/realms/&lt;your-releam&gt;/protocol/openid-connect/token Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant-type:token-exchange &amp;subject_token=&lt;GOOGLE_ACCESS_TOKEN&gt; &amp;subject_token_type=urn:ietf:params:oauth:token-type:access_token &amp;client_id=&lt;your-client-id&gt; &amp;client_secret=&lt;CLIENT_SECRET&gt; &amp;subject_issuer=google &amp;scope=openid profile email </span></code></pre> </div> <p><strong>Note:</strong> <code>subject_issuer</code> is the Identity Provider’s name (usually <code>"google"</code>).</p> <h2> Flutter Google Sign-In and Keycloak Token Exchange Code </h2> <div class="highlight js-code-highlight"> <pre class="highlight dart"><code><span class="c1">// auth_service.dart</span> <span class="kn">import</span> <span class="s">'package:google_sign_in/google_sign_in.dart'</span><span class="o">;</span> <span class="kn">import</span> <span class="s">'package:dio/dio.dart'</span><span class="o">;</span> <span class="kn">import</span> <span class="s">'package:flutter_secure_storage/flutter_secure_storage.dart'</span><span class="o">;</span> <span class="kd">class</span> <span class="nc">AuthService</span> <span class="p">{</span> <span class="kd">final</span> <span class="kt">List</span><span class="p">&lt;</span><span class="kt">String</span><span class="p">&gt;</span> <span class="n">scopes</span> <span class="o">=</span> <span class="p">&lt;</span><span class="kt">String</span><span class="p">&gt;[</span> <span class="s">'email'</span><span class="p">,</span> <span class="s">'openid'</span><span class="p">,</span> <span class="s">'profile'</span><span class="p">,</span> <span class="s">'https://www.googleapis.com/auth/userinfo.email'</span><span class="p">,</span> <span class="s">'https://www.googleapis.com/auth/userinfo.profile'</span><span class="p">,</span> <span class="p">];</span> <span class="kd">final</span> <span class="n">GoogleSignIn</span> <span class="n">_googleSignIn</span> <span class="o">=</span> <span class="n">GoogleSignIn</span><span class="o">.</span><span class="na">instance</span><span class="p">;</span> <span class="kt">bool</span> <span class="n">_initialized</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="c1">// Google SignIn Instance</span> <span class="c1">// final GoogleSignIn _googleSignIn = GoogleSignIn(</span> <span class="c1">// scopes: ['email', 'profile', 'openid'],</span> <span class="c1">// );</span> <span class="c1">// Secure Storage</span> <span class="kd">final</span> <span class="n">FlutterSecureStorage</span> <span class="n">_storage</span> <span class="o">=</span> <span class="kd">const</span> <span class="n">FlutterSecureStorage</span><span class="p">();</span> <span class="c1">// Keycloak Configuration</span> <span class="kd">final</span> <span class="kt">String</span> <span class="n">keycloakUrl</span> <span class="o">=</span> <span class="s">"https://knows-pride-future-bon.trycloudflare.com"</span><span class="p">;</span> <span class="kd">final</span> <span class="kt">String</span> <span class="n">realm</span> <span class="o">=</span> <span class="s">"Medical"</span><span class="p">;</span> <span class="kd">final</span> <span class="kt">String</span> <span class="n">clientId</span> <span class="o">=</span> <span class="s">"flutter-app"</span><span class="p">;</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">void</span><span class="p">&gt;</span> <span class="n">_initializeGoogle</span><span class="p">()</span> <span class="kd">async</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">_initialized</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="n">_googleSignIn</span><span class="o">.</span><span class="na">initialize</span><span class="p">(</span> <span class="nl">clientId:</span> <span class="s">"&lt;your-android-client-id&gt;"</span><span class="p">,</span> <span class="nl">serverClientId:</span> <span class="s">"&lt;your-web-client-id&gt;"</span><span class="p">,</span> <span class="p">);</span> <span class="n">_initialized</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">"GoogleSign-In initialization failed: </span><span class="si">$e</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> <span class="n">_initialized</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="c1">/// Step 1: Google Sign-In to get ID Token</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">String</span><span class="o">?</span><span class="p">&gt;</span> <span class="n">signInWithGoogle</span><span class="p">()</span> <span class="kd">async</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="n">_initializeGoogle</span><span class="p">();</span> <span class="kd">final</span> <span class="n">GoogleSignInAccount</span><span class="o">?</span> <span class="n">account</span> <span class="o">=</span> <span class="k">await</span> <span class="n">_googleSignIn</span><span class="o">.</span><span class="na">authenticate</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="n">account</span> <span class="o">==</span> <span class="kc">null</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="c1">// print(account);</span> <span class="kd">final</span> <span class="n">GoogleSignInClientAuthorization</span> <span class="n">authorization</span> <span class="o">=</span> <span class="k">await</span> <span class="n">account</span> <span class="o">.</span><span class="na">authorizationClient</span> <span class="o">.</span><span class="na">authorizeScopes</span><span class="p">(</span><span class="n">scopes</span><span class="p">);</span> <span class="n">print</span><span class="p">(</span><span class="s">"access token </span><span class="si">${authorization.accessToken}</span><span class="s">"</span><span class="p">);</span> <span class="k">return</span> <span class="n">authorization</span><span class="o">.</span><span class="na">accessToken</span><span class="p">;</span> <span class="c1">// &lt;-- Return access token here</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">"Google Sign-In Error: </span><span class="si">$e</span><span class="s">"</span><span class="p">);</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">/// Step 2: Exchange Google ID Token with Keycloak for Access &amp; Refresh Tokens</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">Map</span><span class="p">&lt;</span><span class="kt">String</span><span class="p">,</span> <span class="kd">dynamic</span><span class="p">&gt;</span><span class="o">?</span><span class="p">&gt;</span> <span class="n">exchangeTokenWithKeycloak</span><span class="p">(</span> <span class="kt">String</span> <span class="n">googleIdToken</span><span class="p">,</span> <span class="p">)</span> <span class="kd">async</span> <span class="p">{</span> <span class="kd">final</span> <span class="n">dio</span> <span class="o">=</span> <span class="n">Dio</span><span class="p">();</span> <span class="k">try</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">"Exchanging token with Keycloak... </span><span class="si">${keycloakUrl}</span><span class="s">"</span><span class="p">);</span> <span class="kd">final</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">dio</span><span class="o">.</span><span class="na">post</span><span class="p">(</span> <span class="s">'</span><span class="si">$keycloakUrl</span><span class="s">/realms/</span><span class="si">$realm</span><span class="s">/protocol/openid-connect/token'</span><span class="p">,</span> <span class="nl">data:</span> <span class="p">{</span> <span class="s">'client_id'</span><span class="o">:</span> <span class="n">clientId</span><span class="p">,</span> <span class="s">'client_secret'</span><span class="o">:</span> <span class="s">'&lt;your-client-secret&gt;'</span><span class="p">,</span> <span class="s">'grant_type'</span><span class="o">:</span> <span class="s">'urn:ietf:params:oauth:grant-type:token-exchange'</span><span class="p">,</span> <span class="s">'subject_token'</span><span class="o">:</span> <span class="n">googleIdToken</span><span class="p">,</span> <span class="s">'subject_token_type'</span><span class="o">:</span> <span class="s">'urn:ietf:params:oauth:token-type:access_token'</span><span class="p">,</span> <span class="s">'requested_token_type'</span><span class="o">:</span> <span class="s">'urn:ietf:params:oauth:token-type:access_token'</span><span class="p">,</span> <span class="s">'subject_issuer'</span><span class="o">:</span> <span class="s">'google'</span><span class="p">,</span> <span class="p">},</span> <span class="nl">options:</span> <span class="n">Options</span><span class="p">(</span><span class="nl">contentType:</span> <span class="n">Headers</span><span class="o">.</span><span class="na">formUrlEncodedContentType</span><span class="p">),</span> <span class="p">);</span> <span class="k">return</span> <span class="n">response</span><span class="o">.</span><span class="na">data</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">"Keycloak Token Exchange Error: </span><span class="si">$e</span><span class="s">"</span><span class="p">);</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">/// Step 3: Store Tokens Securely</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">void</span><span class="p">&gt;</span> <span class="n">storeTokens</span><span class="p">(</span><span class="kt">Map</span><span class="p">&lt;</span><span class="kt">String</span><span class="p">,</span> <span class="kd">dynamic</span><span class="p">&gt;</span> <span class="n">tokens</span><span class="p">)</span> <span class="kd">async</span> <span class="p">{</span> <span class="k">await</span> <span class="n">_storage</span><span class="o">.</span><span class="na">write</span><span class="p">(</span><span class="nl">key:</span> <span class="s">'access_token'</span><span class="p">,</span> <span class="nl">value:</span> <span class="n">tokens</span><span class="p">[</span><span class="s">'access_token'</span><span class="p">]);</span> <span class="k">await</span> <span class="n">_storage</span><span class="o">.</span><span class="na">write</span><span class="p">(</span><span class="nl">key:</span> <span class="s">'refresh_token'</span><span class="p">,</span> <span class="nl">value:</span> <span class="n">tokens</span><span class="p">[</span><span class="s">'refresh_token'</span><span class="p">]);</span> <span class="p">}</span> <span class="c1">/// Step 4: Get Dio Instance with Authorization Header</span> <span class="n">Future</span><span class="p">&lt;</span><span class="n">Dio</span><span class="p">&gt;</span> <span class="n">getAuthorizedDio</span><span class="p">()</span> <span class="kd">async</span> <span class="p">{</span> <span class="kd">final</span> <span class="n">dio</span> <span class="o">=</span> <span class="n">Dio</span><span class="p">();</span> <span class="kd">final</span> <span class="n">token</span> <span class="o">=</span> <span class="k">await</span> <span class="n">_storage</span><span class="o">.</span><span class="na">read</span><span class="p">(</span><span class="nl">key:</span> <span class="s">'access_token'</span><span class="p">);</span> <span class="n">dio</span><span class="o">.</span><span class="na">options</span><span class="o">.</span><span class="na">headers</span><span class="p">[</span><span class="s">'Authorization'</span><span class="p">]</span> <span class="o">=</span> <span class="s">'Bearer </span><span class="si">$token</span><span class="s">'</span><span class="p">;</span> <span class="k">return</span> <span class="n">dio</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Step 5: Complete Login Flow</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">String</span><span class="o">?</span><span class="p">&gt;</span> <span class="n">login</span><span class="p">()</span> <span class="kd">async</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Step 1: Google Sign-In to get ID Token</span> <span class="kd">final</span> <span class="n">googleIdToken</span> <span class="o">=</span> <span class="k">await</span> <span class="n">signInWithGoogle</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="n">googleIdToken</span> <span class="o">==</span> <span class="kc">null</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">final</span> <span class="n">keycloakTokens</span> <span class="o">=</span> <span class="k">await</span> <span class="n">exchangeTokenWithKeycloak</span><span class="p">(</span><span class="n">googleIdToken</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">keycloakTokens</span> <span class="o">==</span> <span class="kc">null</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="k">await</span> <span class="n">storeTokens</span><span class="p">(</span><span class="n">keycloakTokens</span><span class="p">);</span> <span class="k">return</span> <span class="n">keycloakTokens</span><span class="p">[</span><span class="s">'access_token'</span><span class="p">];</span> <span class="c1">// Return Access Token</span> <span class="k">return</span> <span class="n">keycloakTokens</span><span class="p">[</span><span class="s">'access_token'</span><span class="p">];</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="p">{</span> <span class="n">print</span><span class="p">(</span><span class="s">"Login Error: </span><span class="si">$e</span><span class="s">"</span><span class="p">);</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">/// Step 6: Logout from Google and Clear Tokens</span> <span class="n">Future</span><span class="p">&lt;</span><span class="kt">void</span><span class="p">&gt;</span> <span class="n">logout</span><span class="p">()</span> <span class="kd">async</span> <span class="p">{</span> <span class="k">await</span> <span class="n">_googleSignIn</span><span class="o">.</span><span class="na">signOut</span><span class="p">();</span> <span class="k">await</span> <span class="n">_storage</span><span class="o">.</span><span class="na">deleteAll</span><span class="p">();</span> <span class="n">print</span><span class="p">(</span><span class="s">"Logged out successfully"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Happy coding! 🚀</p>