Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add experimental signInWithIdToken for Apple, Google #603

Merged
merged 1 commit into from
Feb 15, 2023
Merged

feat: add experimental signInWithIdToken for Apple, Google #603

merged 1 commit into from
Feb 15, 2023

Conversation

hf
Copy link
Contributor

@hf hf commented Feb 2, 2023

Adds signInWithIdToken as experimental. This brings back the ID token login flow for Sign in with Apple and Sign in with Google for iOS and Android apps.

It's marked as experimental since there are some known issues with this endpoint, but we do realize the importance of having this method available as Sign in with Apple is mandatory on iOS devices.

@hf hf mentioned this pull request Feb 2, 2023
Open
This was referenced Feb 3, 2023
Closed
Merged
@DanMossa
Copy link

DanMossa commented Feb 3, 2023

When using this endpoint, I'm getting a 502Bad Gateway response. Has this been verified to worK?

@jaytxng
Copy link

jaytxng commented Feb 3, 2023
edited
Loading

Been working on integrating Apple and seeing this 502 gateway error as well.

I've reached out to support@supabase.com yesterday regarding this issue, so hopefully someone can look into what's causing this.

edit: no longer seeing the 502 gateway error anymore!

@DanMossa
Copy link

DanMossa commented Feb 4, 2023

@jaytxng I'm emailing someone from support back and forth about this. The way I was originally Signing in with Apple and Google failed due to server changes. I'm trying this out and yeah I'm getting the 502

@DanMossa
Copy link

DanMossa commented Feb 4, 2023

Also: please don't merge this in without making sure it works
supabase/auth#927

@kangmingtay
Copy link
Member

Hi @DanMossa we haven't merged this in yet because the gotrue version on the Supabase platform is still on v2.40.1, which doesn't contain the changes in supabase/gotrue#927.

@jaytxng
Copy link

jaytxng commented Feb 7, 2023

@DanMossa heads up, I'm no longer seeing that 502 error anymore 😄

@DanMossa
Copy link

DanMossa commented Feb 7, 2023

@DanMossa heads up, I'm no longer seeing that 502 error anymore 😄

Yup! After talking to support they disabled the endpoint. They just had to re enable it!

@hf hf merged commit 1763d48 into master Feb 15, 2023
@hf hf deleted the hf/add-idtoken-flow branch February 15, 2023 11:25
@github-actions
Copy link
Contributor

🎉 This PR is included in version 2.12.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@johnryan
Copy link

Hi All - thanks for bringing this back. I've been trying to get it working with google auth and getting an error Passed nonce and nonce in id_token should either both exist or not. Is this expected to work with google?

@DanMossa
Copy link

Hi All - thanks for bringing this back. I've been trying to get it working with google auth and getting an error Passed nonce and nonce in id_token should either both exist or not. Is this expected to work with google?

Yup! I'm using it now. Are you passing a nonce when using Sign in with Google?

Does the JWT token you get from Google contain a nonce?

@johnryan
Copy link

johnryan commented Feb 26, 2023 via email

@johnryan
Copy link

johnryan commented Feb 26, 2023 via email

@laotala828
Copy link

laotala828 commented Jun 2, 2023
edited
Loading

I am having the same issue: Passed nonce and nonce in id_token should either both exist or not. I am using this one https://github.com/CodetrixStudio/CapacitorGoogleAuth and get something like this:

 authentication: {
			refreshToken: '1//06VJKB6bMT0oXCgYIQWERGAYSNwF-L9IrRWKTodx0Ir_PQvMUhB3YMFYVzXfY2utSgB2JkkqGxrUB ...',
			idToken: 'eyJhbGciQWE345GBH75IsImtpGHI6IjYwOASkZDU5ODE2NzNmNjYxZmRlOWRhZTY0NmI2ZjAzONGhMDE0NWMiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLERhenAiOiI3NDUxODY3NTM2MTMtaGI1N3MwZDNhaXZsYmVmdTNtcmVpbGU4c3N1cjd...',
			accessToken: 'ya29.a0AWY7CknAaGYidqUpcPn21IPgDiQTXhvaeSY7-o-dmMCKqDS2SzJYuJqqROS9zoWPTYUrAAlU-EIrLVKecCwzr3AnoBCZtIq7RlnCRyYPqpE4...'
		}

When I pass the Idtoken to signInWithIdToken I get error: Passed nonce and nonce in id_token should either both exist or not.

If I decode the idToken I can get the nonce, but when I pass it in I got error: invalid nonce

@matteo6b
Copy link

matteo6b commented Jun 6, 2023

Hi the same error Passed nonce and nonce in id_token should either both exist or not.

@laotala828 how you decode nonce in id token ?

@laotala828
Copy link

laotala828 commented Jun 6, 2023
edited
Loading

@matteo6b

Hi the same error Passed nonce and nonce in id_token should either both exist or not.

@laotala828 how you decode nonce in id token ?

You can paste your idtoken in the JWT site https://jwt.io/ and it can show you a decoded object.
In my code I use this one: https://www.npmjs.com/package/jwt-decode

@robertn702
Copy link

robertn702 commented Jun 26, 2023
edited
Loading

Has anyone been able to get around the Passed nonce and nonce in id_token should either both exist or not issue?

Currently using react-native-google-signin/google-signin to retrieve the id token and passing it to supabase.auth.signInWithIdToken returns this error.

Edit:
Parsing the nonce from the id token and including it with signInWithIdToken produces the error Nonces mismatch.

@laotala828
Copy link

Has anyone been able to get around the Passed nonce and nonce in id_token should either both exist or not issue?

Currently using react-native-google-signin/google-signin to retrieve the id token and passing it to supabase.auth.signInWithIdToken returns this error.

Edit: Parsing the nonce from the id token and including it with signInWithIdToken produces the error Nonces mismatch.

Hey @robertn702 I did not solve this problem, but I do have a solution to allow user to Oauth log in on iOS. Previously I used React Native and now I am using Capacitorjs, it works for both. For RN you use the Linking feature, and for Capacitor you use the appUrlOpen event on App. Basically you ask users to open the gotrue endpoint url in browser, for example:

${SUPABASE_URL}/auth/v1/authorizeprovider=google&redirect_to=${SIGN_IN_CALL_BACK}&access_type=offline&prompt=consent

You can set SIGN_IN_CALL_BACK as the URL scheme of you app, for example com.my.app://logincallback and set the URL scheme for your ios app. Easy tutorial here.

Then after users signing in or up using google oauth, they will be redirected to your app, and you will get a string url like this com.my.app://logincallback#access_token=....&refresh_token=.... Replace # with a ? and turn the string url into an real URL object, you can easily get the access_token and refresh_token.

const url_string = url.replace('${SIGN_IN_CALL_BACK}#', '${SIGN_IN_CALL_BACK}?'); const new_url = new URL(url_string); const refresh_token = new_url.searchParams.get('refresh_token'); const access_token = new_url.searchParams.get('access_token');

Finally you call the seSession function and you will get the info you need and log users in.
const session_result = await supabase.auth.setSession({ access_token, refresh_token });

@will-break-it
Copy link

@laotala828 how were you able to set the redirect url correctly? In supabase I have a web redirect url and in google cloud I can't add an app specific url scheme since google enforces to create a dedicated iOS client secret.

@laotala828
Copy link

@laotala828 how were you able to set the redirect url correctly? In supabase I have a web redirect url and in google cloud I can't add an app specific url scheme since google enforces to create a dedicated iOS client secret.

The method I mentioned is using the web client secret in GCP, you don't need an iOS client secret.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kangmingtay kangmingtay kangmingtay approved these changes

@J0 J0 J0 approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@hf @DanMossa @jaytxng @kangmingtay @johnryan @laotala828 @matteo6b @robertn702 @will-break-it @J0