supabase signInWithIdToken not working: Nonces mismatch

Question

supabase signInWithIdToken not working: Nonces mismatch

saadHeisentech opened this issue a year ago · 23 comments

// using this library for decoding
import jwtDecode from 'jwt-decode'

const handleLogin = async () => {
    setLoading(true);
    try {
      await GoogleSignin.hasPlayServices();
      const u = await GoogleSignin.signIn();
      // get the nonce value
      const nonce = jwtDecode<any>(u.idToken!);
      const { nonce: nonceVal } = nonce!;
      // login to supabase
      const { data, error } = await supabase.auth.signInWithIdToken({
        provider: 'google',
        token: u.idToken!,
        nonce: nonceVal,
      });
      console.log('supabase data:', data);
      if (error) {
        console.log('Supabase error:', error);
      }
      if (data.user) {
        // do something
      }
    } catch (err) {
      console.log(err);
    } finally {
      setLoading(false);
    }
  };

Answer 1 · 2023-07-07T14:16:48.000Z

Did you try to also pass the access token in the signInWithIdToken function?

Answer 2 · 2023-07-09T12:14:50.000Z

Did you try to also pass the access token in the signInWithIdToken function?

Passing access_token along with id_token does not solve the error: [AuthApiError: Passed nonce and nonce in id_token should either both exist or not.]

Answer 3 · 2023-07-12T03:12:57.000Z

+1 having the same issue :(

Answer 4 · 2023-07-14T13:38:06.000Z

is there any solution I am having exactly same issue

Answer 5 · 2023-07-18T09:56:52.000Z

I've been blocked on this for a while now. My code is nearly identical to the OP. I'm getting the nonce from jwt-decode, but passing it in the signInWithIdToken() call only changes the error from 'Passed nonce and nonce in id_token should either both exist or not' to nonces mismatch. Anyone have any suggestions or solutions?

It seems like the signInWithIdToken() isn't behaving as expected, or I'm missing something.

Answer 6 · 2023-07-20T13:09:07.000Z

To my understanding Supabase expects the nonce to be the decoded version of the nonce present in the ID token received from google, hence why passing the nonce from the ID token doesnt work as it will get its hash and match them for equality.
Unfortunately I cannot find any way to get the nonce before its encoded in the ID token. Any ideas?

/** If the ID token contains a `nonce` claim, then the hash of this value is compared to the value in the ID token. */
nonce?: string

Answer 7 · 2023-07-21T07:41:58.000Z

Hate to say it, but it doesn't look like this will work currently. Supabase requires a nonce if it's in the token, and react native doesn't expose the nonce in its current implementation. Unless I've got something wrong, native signin on iOS with supabase and react-native isn't possible at this time. Either supabase has to modify the endpoint (unlikely) or react-native has to expose the nonce (unlikely any time soon, I assume).

Answer 8 · 2023-08-11T08:30:20.000Z

Hello and thanks for reporting,
~~I did not test this, and it may not work, but~~ the next version of the google sign in library obtainable for sponsors here allows passing custom nonce. Maybe that will work.
edit: it only allows that on Android

edit2: I tested this and it works, can be used like this:

 const nonce = Crypto.randomUUID()
 const hashedNonce = await digestStringAsync(CryptoDigestAlgorithm.SHA256, nonce)
 const userInfo = await GoogleOneTapSignIn.signIn({
      webClientId,
      nonce: hashedNonce,
    })

Thank you 🙂

Answer 9 · 2023-09-22T07:18:18.000Z

quick update: passing custom nonce works as outlined in the post above, for Android.

For iOS, I confirm that a valid idToken for supabase can be obtained using https://docs.expo.dev/versions/latest/sdk/auth-session/ (edit: no need to use any of the deprecated APIs)

edit2: please note rn-google sign in does not expose nonce option because the underlying native sdk doesn't expose it either

related issue: supabase/gotrue#1205 (comment)

Answer 10 · 2023-09-23T23:14:41.000Z

Facing the same issue AuthApiError: Passed nonce and nonce in id_token should either both exist or not.

Any workaround?

Answer 11 · 2023-09-24T00:24:09.000Z

Expo auth session for Google auth is deprecated: https://docs.expo.dev/versions/latest/sdk/auth-session/#googleauthrequestconfig

Answer 12 · 2023-09-24T15:20:52.000Z

Hi everyone, I got it working by using the browser

Made a gist for everyone who is struggling to solve this:

https://gist.github.com/sonipranjal/f4a66f35924ede2e2f4a8d5b66199857

Answer 13 · 2023-09-26T17:24:08.000Z

I am having the same problem, it seems like @react-native-google-signin/google-signin and supabase are not compatible because there is currently no way to get the nonce value expected by supabase signInWithIdToken method

Answer 14 · 2023-10-03T11:05:00.000Z

Same problem here, the library is useless if we can't get, or pass, the nonce value...

Answer 15 · 2023-10-03T18:25:57.000Z

same problem here...

Answer 16 · 2023-10-03T18:45:03.000Z

hello everyone, I'm going to lock this discussion because there's nothing new that can be added to it at this point.

To summarize (basically repeating this comment): to provide custom nonce:

on Android, you need to use one-tap sign in which is available for sponsors.
on iOS, it can be implemented using expo's authSession (it's not trivial, but can be done - you can hire me if you're unsure how to do it), or using the workaround posted above.

Thank you! 🙂