[google_sign_in] iOS incremental auth - Can't switch account and already granted scopes are not included

[remideneleaodocs]

PR#2599 introduced the ability to request additional scopes after sign-in (incremental auth), allowing to request access to sensitive data only when needed and in the context where it makes sense to the user (cf. Requesting additional scopes on Android / on iOS).

While it works perfectly on Android, it is not really usable on iOS for 2 reasons:

• You can't switch to another Google account without closing / reopening your app
  After granting additional scopes using the requestScopes() method for Account A, you can't sign out to switch to Account B without closing / reopening your app. Indeed if you call signOut() and then signIn() to select Account B, the account chooser is not displayed and Account A is automatically selected and used.
  It seems to be related to the way the additional permission request is implemented on iOS: it sets the loginHint of the GIDSignIn sharedInstance with the current user email before calling signIn(). But then, when calling signOut() the loginHint (and the scopes) of the sharedInstance are not cleared, so they are reused next time signIn() is called.

  The current requestScopes() method implementation corresponds to what was described in the the Google Identity documentation:

  

  But the documentation was updated on July 13, advising to use the addScopes method instead:

  

  The addScopes methods was introduced in the recent 6.0 release of GoogleSignIn iOS for which an issue (#86436) was opened a few days ago, to update the dependency. I don't know if this method will fix the issue but I hope so, at least it doesn't seem to modify a "shared instance" to do the additional permissions request.

• Already granted scopes are not included at next sign in

  • Instantiate a GoogleSignIn() with minimal scopes, e.g. GoogleSignIn(scopes: ['email', 'profile']);
  • Later grant additional scopes, e.g. requestScopes(['https://www.googleapis.com/auth/drive.file']),
  • Then call signOut(),
  • Close your app,
  • Launch your app, which will instantiate a GoogleSignIn() with minimal scopes
  • Call signIn() and select your account

  You obtain an access token with only the email and profile scopes, so only the scopes declared when instantiating the GoogleSignIn() are requested. Already granted scopes are not included and there is no option to include them (like when using the include_granted_scopes option when doing Web sign-in), whereas on Android already granted scopes are included when you sign in back.

[jmagman]

@remidenele Thank you for the detailed report. We'll test this flow when we adopt 6.0. #86436

[LiveLikeCounter]

@remidenele great job, reporting here! I got exactly the same situation.
Do you have a work a round for this at the moment?

[remideneleaodocs]

@LiveLikeCounter Unfortunately no...
I'm only using incremental auth on Android for now. On iOS I'm requesting all scopes at sign-in to prevent later problems as exposed in this issue.

My current implementation on iOS is to:

1. give as much context as possible to the user before starting the Google authorization flow at sign-in
   

2. check that the obtained access token contains all the scopes (in case the user unchecks some of the scopes in the Google auth dialog) by calling oauth2.tokenInfo and prevent the user to use the app if some scopes are missing.

That's far from ideal but I don't have a better solution for now. I've also concerns because it appears that the 6.0 release of GoogleSignIn iOS doesn't allow scopes to be requested at the same time as sign in, as noted by @jmagman.

[lightspect]

I have a similar issue to this, specifically login with a different account with different scopes. My app has 2 login features:

1. Login to sign in to the app using google account
2. Connect to a youtube account while sign in.

On Android it work perfectly, while in IOS, if I login using a Google account then connect to youtube using the same account or a different account with different scopes, the first time it throw Request had insufficient authentication scopes error, after that I can connect to Youtube account normally. This only happen in IOS the first time connect to Youtube after login.

[som-R91]

Hi

When is this issue expected to be fixed? According to the following quote, this should be a relatively simple fix.

• But then, when calling signOut() the loginHint (and the scopes) of the sharedInstance are not cleared, so they are reused next time signIn() is called.

Also, is there a way to fetch all the authorized scopes from GoogleOauth2Api.tokenInfo.scope when any google user signs in, regardless of what scopes were used in GoogleSignIn during the sign in process? GoogleSignIn.scopes

I'd appreciate any help I can get. 😇

[jmagman]

• You can't switch to another Google account without closing / reopening your app
  After granting additional scopes using the requestScopes() method for Account A, you can't sign out to switch to Account B without closing / reopening your app. Indeed if you call signOut() and then signIn() to select Account B, the account chooser is not displayed and Account A is automatically selected and used.

@remidenele I tested on flutter/plugins#5708 and I now see the app switcher.

• Already granted scopes are not included at next sign in
  You obtain an access token with only the email and profile scopes, so only the scopes declared when instantiating the GoogleSignIn() are requested. Already granted scopes are not included

Also tested on flutter/plugins#5708, the previously granted scopes are granted again.

if I login using a Google account then connect to youtube using the same account or a different account with different scopes, the first time it throw Request had insufficient authentication scopes error, after that I can connect to Youtube account normally.

@lightspect I suspect your case will also be fixed by flutter/plugins#5708.

[jmagman]

Would appreciate test coverage of flutter/plugins#5708. You can get it explicitly by adding google_sign_in_ios: ^5.3 to your pubspec. If you see any bugs, please file new GitHub issues and @ me.