[google_sign_in] iOS incremental auth - Can't switch account and already granted scopes are not included #86660

remideneleaodocs · 2021-07-19T16:28:08Z

PR#2599 introduced the ability to request additional scopes after sign-in (incremental auth), allowing to request access to sensitive data only when needed and in the context where it makes sense to the user (cf. Requesting additional scopes on Android / on iOS).

While it works perfectly on Android, it is not really usable on iOS for 2 reasons:

You can't switch to another Google account without closing / reopening your app
After granting additional scopes using the requestScopes() method for Account A, you can't sign out to switch to Account B without closing / reopening your app. Indeed if you call signOut() and then signIn() to select Account B, the account chooser is not displayed and Account A is automatically selected and used.
It seems to be related to the way the additional permission request is implemented on iOS: it sets the loginHint of the GIDSignIn sharedInstance with the current user email before calling signIn(). But then, when calling signOut() the loginHint (and the scopes) of the sharedInstance are not cleared, so they are reused next time signIn() is called.

The current requestScopes() method implementation corresponds to what was described in the the Google Identity documentation:

But the documentation was updated on July 13, advising to use the addScopes method instead:

The addScopes methods was introduced in the recent 6.0 release of GoogleSignIn iOS for which an issue (#86436) was opened a few days ago, to update the dependency. I don't know if this method will fix the issue but I hope so, at least it doesn't seem to modify a "shared instance" to do the additional permissions request.
Already granted scopes are not included at next sign in
- Instantiate a GoogleSignIn() with minimal scopes, e.g. GoogleSignIn(scopes: ['email', 'profile']);
- Later grant additional scopes, e.g. requestScopes(['https://www.googleapis.com/auth/drive.file']),
- Then call signOut(),
- Close your app,
- Launch your app, which will instantiate a GoogleSignIn() with minimal scopes
- Call signIn() and select your account
You obtain an access token with only the email and profile scopes, so only the scopes declared when instantiating the GoogleSignIn() are requested. Already granted scopes are not included and there is no option to include them (like when using the include_granted_scopes option when doing Web sign-in), whereas on Android already granted scopes are included when you sign in back.

The text was updated successfully, but these errors were encountered:

jmagman · 2021-07-20T00:21:04Z

@remidenele Thank you for the detailed report. We'll test this flow when we adopt 6.0. #86436

LiveLikeCounter · 2021-08-05T14:38:05Z

@remidenele great job, reporting here! I got exactly the same situation.
Do you have a work a round for this at the moment?

remideneleaodocs · 2021-08-05T15:23:10Z

@LiveLikeCounter Unfortunately no...
I'm only using incremental auth on Android for now. On iOS I'm requesting all scopes at sign-in to prevent later problems as exposed in this issue.

My current implementation on iOS is to:

give as much context as possible to the user before starting the Google authorization flow at sign-in
check that the obtained access token contains all the scopes (in case the user unchecks some of the scopes in the Google auth dialog) by calling oauth2.tokenInfo and prevent the user to use the app if some scopes are missing.

That's far from ideal but I don't have a better solution for now. I've also concerns because it appears that the 6.0 release of GoogleSignIn iOS doesn't allow scopes to be requested at the same time as sign in, as noted by @jmagman.

lightspect · 2021-12-02T11:17:01Z

I have a similar issue to this, specifically login with a different account with different scopes. My app has 2 login features:

Login to sign in to the app using google account
Connect to a youtube account while sign in.

On Android it work perfectly, while in IOS, if I login using a Google account then connect to youtube using the same account or a different account with different scopes, the first time it throw Request had insufficient authentication scopes error, after that I can connect to Youtube account normally. This only happen in IOS the first time connect to Youtube after login.

som-R91 · 2022-02-18T12:34:15Z

Hi

When is this issue expected to be fixed? According to the following quote, this should be a relatively simple fix.

But then, when calling signOut() the loginHint (and the scopes) of the sharedInstance are not cleared, so they are reused next time signIn() is called.

Also, is there a way to fetch all the authorized scopes from GoogleOauth2Api.tokenInfo.scope when any google user signs in, regardless of what scopes were used in GoogleSignIn during the sign in process? GoogleSignIn.scopes

I'd appreciate any help I can get. 😇

jmagman · 2022-05-19T00:43:51Z

You can't switch to another Google account without closing / reopening your app
After granting additional scopes using the requestScopes() method for Account A, you can't sign out to switch to Account B without closing / reopening your app. Indeed if you call signOut() and then signIn() to select Account B, the account chooser is not displayed and Account A is automatically selected and used.

@remidenele I tested on flutter/plugins#5708 and I now see the app switcher.

Already granted scopes are not included at next sign in
You obtain an access token with only the email and profile scopes, so only the scopes declared when instantiating the GoogleSignIn() are requested. Already granted scopes are not included

Also tested on flutter/plugins#5708, the previously granted scopes are granted again.

if I login using a Google account then connect to youtube using the same account or a different account with different scopes, the first time it throw Request had insufficient authentication scopes error, after that I can connect to Youtube account normally.

@lightspect I suspect your case will also be fixed by flutter/plugins#5708.

jmagman · 2022-05-19T18:30:39Z

Would appreciate test coverage of flutter/plugins#5708. You can get it explicitly by adding google_sign_in_ios: ^5.3 to your pubspec. If you see any bugs, please file new GitHub issues and @ me.

9095

github-actions · 2022-06-02T19:00:54Z

This thread has been automatically locked since there has not been any recent activity after it was closed. If you are still experiencing a similar issue, please open a new bug, including the output of flutter doctor -v and a minimal reproduction of the issue.

jmagman added P2 Important issues not at the top of the work list p: first party p: google_sign_in The Google Sign-In plugin platform-ios iOS applications specifically labels Jul 20, 2021

darshankawar added the passed first triage label Jul 28, 2021

jmagman mentioned this issue May 19, 2022

[google_sign_in] Upgrade to GoogleSignIn 6.2, support arm64 simulators flutter/plugins#5708

Merged

11 tasks

fluttergithubbot closed this as completed in flutter/plugins#5708 May 19, 2022

github-actions bot locked as resolved and limited conversation to collaborators Jun 2, 2022

flutter-triage-bot bot added the package flutter/packages repository. See also p: labels. label Jul 5, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[google_sign_in] iOS incremental auth - Can't switch account and already granted scopes are not included #86660

[google_sign_in] iOS incremental auth - Can't switch account and already granted scopes are not included #86660

[google_sign_in] iOS incremental auth - Can't switch account and already granted scopes are not included #86660

[google_sign_in] iOS incremental auth - Can't switch account and already granted scopes are not included #86660

Comments