Make nonce optional #68
Conversation
|
I'm not sure why the tests are failing. I can't get them to work on main either. |
|
Hmm, not sure why the tests are failing either, but were you able to test this within an app to see if google signin actually works? If not, I can try to test it out when I can! |
|
@dshukertjr I'll actually set this to draft until the gotrue PR gets merged in, but yeah it should work. Also, do you happen to know what kind of ETA to expect for the gotrue review? I'm assuming it's a bit longer since it's a more used package |
|
@DanMossa Yeah, there is a lot going on in gotrue repo as it's really high in demand, so it might take some time, but I can see that kangming has some response! |
|
@dshukertjr Officially got |
|
@DanMossa Amazing! Did you have any chance to try out native Google login with this? |
|
@dshukertjr I actually haven't just yet. I wasn't sure how long it takes for the gotrue PR merges to reflect on hosted Supabase. I think that regardless nonce should be optional but yeah it makes sense to wait before we merge this in just in case something else needs to be changed. I'll set it back to draft until I verify. |
|
I can verify, google signIn works with setting nonce as empty string. |
|
edit: unfortunately, it doesn't work in iOS because the google_signIn return a nonce in idToken which confuses the backend. having decoded the jwt on client and sending that nonce doesn't work either. |
|
@k0shk0sh Thank you so much for trying it out on various devices! I am so sorry, but I haven't had a chance to take a deep look into this PR just yet. Does seem like there needs to be more rework on the backend then? |
|
@k0shk0sh @dshukertjr |
I did that, I send the nonce with the api call but can't return invalid nonce. |
|
Can you send me the code you're using? And just to clarify this works with Google but not with iOS. And what is the exact error you're getting? |
|
using on iOS the nonce is returned and then passed to oidc. once API call is made then I receive: supabase/auth#412 (comment)
|
|
I believe, we should also remove the nonce check against the jwt and also not passing one from clients. then I reckon this will solve it. nonce is always optional even on apple signIn. |
Perhaps empty string is not equal to null, so the backend still check if the empty string is a valid sha256 nonce, also the |
|
Oh that's exactly the issue. You're passing in an empty string. I also know that there's something needed with hashed nonce. I'm not near my computer so I can't tell you definitively |
|
Testing the official Sign In With Google package. GoogleSignIn _googleSignIn = GoogleSignIn(
clientId: constants.WEB_GOOGLE_CLIENT_ID,
);
GoogleSignInAccount? account = await _googleSignIn.signIn();
GoogleSignInAuthentication? auth;
if (account != null) {
auth = await account.authentication;
}
if (auth?.idToken != null) {
return AuthService.signInWIthOpenID(
idToken: auth!.idToken!, provider: Provider.google);
}On Android: I see that I'm very confused as to where this idToken is coming from. I'm looking through the Sign in with google codebase. Also, is there a way to set multiple google client id's and secrets? Don't we need to per device? |
|
@DanMossa what if you make use of |
It's hard to know since I can't even get past the audience verification. How can I set multiple Google client IDs and secrets? |
Unfortunately that's not possible on supabase, I believe you coming from a firebase project just like me. I haven't figured this part yet tbh, im hitting a roadblock everytime, for now im just gonna stick to an email login/signup which can be very cumbersome. |
This wont work, could you elaborate on why you think this will work? |
|
I think we should merge this PR in because it's correct. |
|
@k0shk0sh https://stackoverflow.com/questions/40806756/google-signin-in-android-and-ios-with-backend-server https://stackoverflow.com/questions/54021631/google-sign-in-in-ios-with-server |
Yeeep, but since supabase is web focused, they never catered for Mobile I would assume. |
|
Alrighty. So next in this rabbit hole is to add support for multiple client IDs lmao. @dshukertjr Do you wanna go ahead and merge this PR in and I guess I'll eventually start working on that? |
|
Thanks and sorry for taking time to jump onto this one @DanMossa . I will take a look at it. |
There was a problem hiding this comment.
Thank you @DanMossa for working on bringing native OAuth to supabase-flutter. Thank you @k0shk0sh for hopping on discussions and doing bunch of researches.
It sounds like what we need at this point to fully support all web, Android, and iOS native sign in is to be able to set multiple client IDs on the supabase dashboard and properly handle each client id on the gotrue backend, correct?
|
Thanks for looking! At this point sign in with Google works for Android and Web 100%. But for iOS, the next steps are being able to use multiple client IDs and then figuring out why we're getting a nonce back in iOS. |
I believe we getting back nonce on iOS is because its not supported natively, as you can see in iOS google signIn opens actually a web screen, I believe that's the reason. The nonce is optional and can be ignored completely as how firebase does it. |
|
I don't really like the idea of ignoring it. The nonce is important and the spec requires you to use the nonce if available to verify the integrity of the idtoken. I'll dig around in the near future to see if we can generate a nonce to use for iOS |
Using existing google signIn in flutter on iOS doesn't provide the ability to supply the nonce. |
|
Yeah that's true. But neither was passing in a nonce when using Android but I was able to fork their repo and add it in. I'm going to look to see if I can add in a way to pass in the nonce for iOS and then make a PR for them. Then we can use my branch until they merge it in. Who would've thought Google had such garbage code lol |
|
This is where the issue is. |
Dependent on
supabase/auth#430