auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

Incorrect nonce check for google - sign in with id token

Open Lxstr opened this issue 1 year ago • 0 comments

Bug report

  • [ x] I confirm this is a bug with Supabase, not with my own application.
  • [ x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

IdToken returned by google does not contain a hashed nonce but currently, gotrue hashes the nonce in the request and checks if it matches the nonce in the id token payload.

Therefore it is impossible to get a successful nonce check. This have been confirmed against google package which returns a success nonce check:

https://google-auth.readthedocs.io/en/master/reference/google.oauth2.id_token.html

This has also been previously mentioned here https://github.com/supabase/auth/issues/412

Lxstr avatar Nov 03 '24 09:11 Lxstr