[google_sign_in_web] Migrate to the GIS SDK.

[ditman]

This PR migrates google_sign_in_web to the Google Identity Services SDK, in a somewhat "backwards-compatible" way.

There are big differences between the old and new authentication/authorization SDKs, so even though this is API compatible with the old client, there are subtle differences in the underlying behavior that prompted a major version update:

• signInSilently will trigger the One Tap user experience.
  • If the user consents to the One Tap UI, they will be authenticated but not authorized (a call to requestScopes or signIn is required to authorize the user).
    • Since the previous plugin assumes that user authentication and authorization are the same, the signInSilently method has currently been made to always return null (even on successful authentication) to prevent apps from triggering requests without being authorized.
      • This behavior should change in the future!
• signIn will trigger an oauth2 popup.
  • If the user has NOT authenticated via signInSilently:
    • The plugin will attempt to request the user profile data from the People API and "fill the gap" (oauth2 endpoints no longer return the user authentication info) after a successful authorization.
      • User profiles retrieved in this way do NOT contain a proper idToken.
      • (The plugin will add 2 more scopes to the ones requested by the user to be able to do this).
  • If the user has authenticated via signInSilently:
    • The plugin will skip the request to the PeopleAPI completely and instead use the CredentialResponse received from the One Tap flow.
• The rest of the methods should work very similarly to how they work now.

Version bump

This is a major reimplementation of the plugin, and there are some subtle differences in behavior (see above), so this probably warrants a new major version.

Tests

• Rewritten tests.
  • Tests for the GisSdkClient could be added by abstracting the GIS bits a little bit more.
• An unmodified Google Sign-In example app has been deployed here:
  • https://dit-gis-test.web.app

Issues

• Fixes [google_sign_in_web] Migrate from Google Sign-In JavaScript Platform Library to Google Identity Services flutter#88084

Pre-launch Checklist

• I read the Contributor Guide and followed the process outlined there for submitting PRs.
• I read the Tree Hygiene wiki page, which explains my responsibilities.
• I read and followed the relevant style guides and ran the auto-formatter. (Unlike the flutter/flutter repo, the flutter/plugins repo does use dart format.)
• I signed the CLA.
• The title of the PR starts with the name of the plugin surrounded by square brackets, e.g. [shared_preferences]
• I listed at least one issue that this PR fixes in the description above.
• I updated pubspec.yaml with an appropriate new version according to the pub versioning philosophy, or this PR is exempt from version changes.
• I updated CHANGELOG.md to add a description of the change, following repository CHANGELOG style.
• I updated/added relevant documentation (doc comments with ///).
• I added new tests to check the change I am making, or this PR is test-exempt.
• All existing and new tests are passing.

If you need help, consider asking for advice on the #hackers-new channel on Discord.

[ditman]

Some quick self-review.

[ditman]

Major version bump.

[ditman]

I think the legacy_version_analyze is failing because pub cannot resolve a valid version of package:google_identity_services_web (which requires Dart 2.17+) ?

[mdebbar]

Great tests!

The code looks good to me, and I trust that you are using the GIS API correctly :)

[stuartmorgan]

My review is pretty high level since I don't know the details of the SDK here, but overall it looks good!

[ditman]

+   jwt_decoder: ^2.0.1

Same question here; is there a reasonable way to not add this dependency?

Hm... Maybe? I'll give this another shot tomorrow, it seems all that needs to be done is to base-64 decode (and JSON.parse) the middle bit of the token? :/ https://stackoverflow.com/questions/52017389/how-to-get-the-claims-from-a-jwt-in-my-flutter-application

[ditman]

Rebasing to pick up the latest .ci.yaml changes from main.

[ditman]

I think I've addressed all your comments @stuartmorgan, PTAL!

[stuartmorgan]

LGTM with one nit. Thanks for paring down the dependencies!

[sbatezat]

@ditman "User profiles retrieved in this way do NOT contain a proper idToken."

Ok, I can see it on the migration guide, on this PR and almost everywhere. You are not populating idToken on signIn. But I was using this plugin only in order to retrieve that idToken, how should I achieve that now? All documentations written said idToken is null, but no one said how to retrieve it from now. I don't need user information, I just need an idtoken to send to my backend...

Could you please explain how should I migrate?
Cheers

[ditman]

Could you please explain how should I migrate?

@sbatezat make sure that you use signInSilently on your app, so that UX flow is able to retrieve an idToken.

The lack of idToken coming from the authorization flow has been reported as an issue to the GSI Team, as mentioned here, and if they change their minds and start returning the token, we'll make it available to users.

[sbatezat]

Could you please explain how should I migrate?

@sbatezat make sure that you use signInSilently on your app, so that UX flow is able to retrieve an idToken.

The lack of idToken coming from the authorization flow has been reported as an issue to the GSI Team, as mentioned here, and if they change their minds and start returning the token, we'll make it available to users.

I've tried signInSilently, it returns null (as explained on the documentation) and show nothing to the end user. After signinSilently, I'm calling again signIn, and there is still no IdToken.

If there is no IdToken, what should be the process to validate user server side?

[ditman]

I've tried signInSilently, it returns null (as explained on the documentation) and show nothing to the end user. After signinSilently, I'm calling again signIn, and there is still no IdToken.

@sbatezat The user must be signed in to their browser for signInSilently to do its thing, and if the OneTap UX worked successfully, you'll have the idToken after signIn. OneTap UX docs.

If there is no IdToken, what should be the process to validate user server side?

You can't validate users without an idToken server-side, so I guess that for the server-side validation of users, a larger change to your app is required until the Oauth popup starts returning idTokens.

Look at the documentation, you may want to use the "Button" flow?