Manual nonce generation option #244
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
@jsamol Could you sign the CLA? I cherry-picked your commit from this repository. |
|
@toshi0383 done |
|
@toshi0383 Any updates on this? |
|
Oh I should resolve conflict. Will do. Thanks for the heads-up! |
Conflicts: GoogleSignIn/Sources/GIDSignIn.m
|
Fixed conflict. Confirmed that build succeeds. |
|
Will this be unblocking the progress on implementing native sign in (#5)? Thanks! |
|
@toshi0383 @petea any chance this could be prioritized? |
|
@petea Any change merging this? |
|
@petea bump |
|
@toshi0383, @ch40w31 any chance someone can take a look? it's blocking supabase/supabase-flutter#5 |
|
Please do not mention to me. I don't have permission to merge in this repository. |
|
@ch40w31 or @mdmathias would either of you be willing to review this? |
|
Apologies for the delay and thanks for the PR! I added a comment to the issue with a request for a little more information. In principle, this change should be fine. |
| @@ -269,6 +269,7 @@ - (void)signInWithPresentingViewController:(UIViewController *)presentingViewCon | |||
| - (void)addScopes:(NSArray<NSString *> *)scopes | |||
| presentingViewController:(UIViewController *)presentingViewController | |||
| completion:(nullable GIDSignInCompletion)completion { | |||
|
|
|||
| [GIDEMMSupport parametersWithParameters:options.extraParams | ||
| emmSupport:emmSupport | ||
| isPasscodeInfoRequired:NO]]; | ||
| [GIDEMMSupport parametersWithParameters:options.extraParams |
| #elif TARGET_OS_OSX || TARGET_OS_MACCATALYST | ||
| [additionalParameters addEntriesFromDictionary:options.extraParams]; | ||
| #endif // TARGET_OS_OSX || TARGET_OS_MACCATALYST | ||
| additionalParameters[kSDKVersionLoggingParameter] = GIDVersion(); | ||
| additionalParameters[kEnvironmentLoggingParameter] = GIDEnvironment(); | ||
|
|
||
| NSString *codeVerifier = [OIDAuthorizationRequest generateCodeVerifier]; |
There was a problem hiding this comment.
This part is a little tricky for me because it looks like GSI is taking on some of the implementation details within AppAuth-iOS. IIUC, we have to create codeVerifier, codeChallenge, and the nonce because we don't have an initializer that we can easily call on OIDAuthorizationRequest that takes only the nonce.
Ideally, we would have an initializer on OIDAuthorizationRequest that only adds the nonce parameter to the simplest initializer. That way, we can keep these implementation details/default values inside AppAuth.
What do you think?
| @@ -674,10 +675,12 @@ - (void)testOAuthLogin_LoginHint { | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
I know that GIDSignInTest is cluttered and that GIDSignIn is a difficult class to test (we're working on this), but could you add a test that verifies the passed in nonce is matched in the OIDAuthorizationResponse we back in GIDSignIn?
It'd be great to have a unit test that asserts: XCTAssertEqualObjects(originalNonce, authorizationResponse.request.nonce).
|
@toshi0383 would you like to address these changes? I am also happy to contribute to this PR. |
|
@elliottetzkorn Sounds great! I’ve been busy lately. |
|
Hello @elliottetzkorn, did you have a change to take a look to this PR? |
|
Hey @elliottetzkorn, I'm on the Supabase Auth team and this fix would greatly improve the Sign in with Google experience in mobile apps while remaining as secure as the OIDC spec intends. I would kindly ask for an expedited review. cc @mdmathias |
|
Hello, |
Asking the same! And is there any timeline where nonce support will be available? |
|
Hello, please be so kind and stop spamming the thread. Me (and others) subscribed to this thread to receive valuable updates, not questions such as "when is this going to happen" or "me too" - please be mindful of others and when asking a question, think about whether it really contributes something valuable to the discussion, thank you. To answer the question: this is open source. A feature will be available, when someone manages to open a PR which is reviewed and merged by the maintainers. That someone could be you, or someone else (could be me, if someone hires me). Until then, there are no updates. So please either wait or write the code yourself. |
…n ODIC flow (#1264) It appears that in certain client libraries that deal with the OIDC authentication flow, such as [this one for React Native on iOS](google/GoogleSignIn-iOS#244), the clients are unable to extract the nonce that is generated randomly by the library. This option allows to temporarily drop the enforcement at the GoTrue level when performing the OIDC flow. This does remove an important security barrier, which could potentially allow "stolen" ID tokens to be used on third-party services (that have opted in to this configuration) however in the interest of flexibility and broad platform support the option is being added.
…n ODIC flow (supabase#1264) It appears that in certain client libraries that deal with the OIDC authentication flow, such as [this one for React Native on iOS](google/GoogleSignIn-iOS#244), the clients are unable to extract the nonce that is generated randomly by the library. This option allows to temporarily drop the enforcement at the GoTrue level when performing the OIDC flow. This does remove an important security barrier, which could potentially allow "stolen" ID tokens to be used on third-party services (that have opted in to this configuration) however in the interest of flexibility and broad platform support the option is being added.
|
Seems like custom nonce was released 3 weeks ago https://github.com/openid/AppAuth-iOS/releases/tag/1.7.0 , are we able to revisit this PR? |
|
Hello, However, I don't have a precise timeline for this. My estimate is that I will have time to do it in 2 months. If anyone wants to support me in prioritizing it, please consider sponsoring me on GH sponsors, or get in touch. I will edit this comment once I start working on it, so that there's no duplication of effort. |
|
can anyone help me adding the nonce parameter in the google sign in package . I really need to send a nonce in the parameter while signing in. I am ready to fork and make changes. |
|
I have opened a PR to support this: #402 |
|
So when this PR will be merged? |
|
Eagerly looking for merge! |
…n ODIC flow (supabase#1264) It appears that in certain client libraries that deal with the OIDC authentication flow, such as [this one for React Native on iOS](google/GoogleSignIn-iOS#244), the clients are unable to extract the nonce that is generated randomly by the library. This option allows to temporarily drop the enforcement at the GoTrue level when performing the OIDC flow. This does remove an important security barrier, which could potentially allow "stolen" ID tokens to be used on third-party services (that have opted in to this configuration) however in the interest of flexibility and broad platform support the option is being added.
…n ODIC flow (supabase#1264) It appears that in certain client libraries that deal with the OIDC authentication flow, such as [this one for React Native on iOS](google/GoogleSignIn-iOS#244), the clients are unable to extract the nonce that is generated randomly by the library. This option allows to temporarily drop the enforcement at the GoTrue level when performing the OIDC flow. This does remove an important security barrier, which could potentially allow "stolen" ID tokens to be used on third-party services (that have opted in to this configuration) however in the interest of flexibility and broad platform support the option is being added.
…n ODIC flow (supabase#1264) It appears that in certain client libraries that deal with the OIDC authentication flow, such as [this one for React Native on iOS](google/GoogleSignIn-iOS#244), the clients are unable to extract the nonce that is generated randomly by the library. This option allows to temporarily drop the enforcement at the GoTrue level when performing the OIDC flow. This does remove an important security barrier, which could potentially allow "stolen" ID tokens to be used on third-party services (that have opted in to this configuration) however in the interest of flexibility and broad platform support the option is being added.
Fixes: #135
Also partly fixes: #28