Google-signin: GoogleAuthUtil Migration

Created on 5 Mar 2019  路  10Comments  路  Source: react-native-google-signin/google-signin

Addressing Google's comment:

If you are using GoogleAuthUtil.getToken or Plus.API, you should migrate to the newest Sign-In API for greater security and a better user experience.

react-native-google-signin currently uses GoogleAuthUtil.getToken by default, which Google recommends only in specific cases such as "if you need an access token directly, e.g. protocols like SASL XOAUTH2."

There are 3 other flows that might be more suitable and secure for most uses cases:

  • To authorize and use REST API in you Android app, check out: Authorizing with Google for REST APIs
  • To authenticate with a backend server, use Google Sign-In API to retrieve an ID token
  • To enable server-side access, use Google Sign-In API to retrieve an auth code

The only change required by the id token and auth code flows seem to be in the GoogleSignInOptions call, so maybe we can add an option in the JS call to specify a specific flow?

picture hery

All 10 comments

(Following up #595)

hery picture hery on 5 Mar 2019

quick comment: we already support id token and auth code, the only problem is that the deprecated GoogleAuthUtil.getToken is executed for each login, for parity with ios. It would likely make sense to remove that call from login procedure and leave it available through https://github.com/react-native-community/react-native-google-signin#gettokens

PRs welcome

vonovak picture vonovak on 5 Mar 2019

I see, so basically implementing that.

I didn't realize id token and auth code were already supported, thank you!

hery picture hery on 5 Mar 2019

Also just to clear that up, the token methods using accountName strings are deprecated, but the ones using accounts are not.

hery picture hery on 5 Mar 2019

@hery would you be willing to open a PR for this? Thanks.

vonovak picture vonovak on 5 Mar 2019
👍1

@vonovak Sure I can do that. One last thing to clear up before I dig in, should we either

  1. Replace the deprecated GoogleAuthUtil.getToken methods with the non-deprecated methods?
  2. Remove the GoogleAuthUtil.getToken from the login procedure?
  3. All of the above?

Thanks!

hery picture hery on 6 Mar 2019
  1. we do not use the deprecated methods, so keep as-is
  2. that's it - please refer to https://github.com/react-native-community/react-native-google-signin/issues/595#issuecomment-469655790

thanks!

vonovak picture vonovak on 6 Mar 2019
👍1

@hery do you plan to take a look at this? If you haven't started, I might have time to do it this weekend.

vonovak picture vonovak on 15 Mar 2019
👍1

Hi @vonovak, sorry about the lack of activity, we ended up doing the update without GoogleAuthUtil migration and I got busy with other features. I'll let you know when I can tackle this.

hery picture hery on 9 Apr 2019

PR https://github.com/react-native-community/react-native-google-signin/pull/649/files

vonovak picture vonovak on 16 Apr 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ChaoTzuJung picture ChaoTzuJung  路  3Comments
ghost picture ghost  路  4Comments
GrishmaM picture GrishmaM  路  3Comments
havinhthai picture havinhthai  路  3Comments
pawellewandowski picture pawellewandowski  路  4Comments