Passer au contenu
Capgo - Live Updates for Capacitor Apps Capgo

Supabase Google Connexion on iOS

Introduction

Section titled “Introduction”

This Guide will Aide you integrate Google Sign-In with Supabase Authentication on iOS. It is assumed that you have already completed:

Implementation

Section titled “Implementation”

The complete implementation is available in the example app’s supabaseAuthUtils.ts file. This guide explains the key concepts and how to use it.

Using the Authentication Helper

Section titled “Using the Authentication Helper”

The authenticateWithGoogleSupabase function handles the entire authentication flow:

import { authenticateWithGoogleSupabase } from './supabaseAuthUtils';


const result = await authenticateWithGoogleSupabase();
if (result.success) {
  console.log('Signed in:', result.user);
  // Navigate to your authenticated area
} else {
  console.error('Error:', result.error);
}

How It Works

Section titled “How It Works”

For a detailed explanation of how the authentication flow works, including nonce generation, JWT validation, and Supabase sign-in, see the How It Works section in the General Configuration Guide.

Important Caveats

Section titled “Important Caveats”

iOS Token Caching and Nonce Issues

Section titled “iOS Token Caching and Nonce Issues”

iOS Nonce Caching Problème

On iOS, Google Sign-In can cache tokens, which may cause the nonce validation to fail. The validateJWTToken function detects this and automatically handles it:

  1. Automatic Detection: The function checks if the nonce in the token matches the expected nonceDigest
  2. Automatic Retry: If validation fails, it automatically Journaux out from Google and retries once
  3. Erreur Handling: If the retry also fails, an Erreur is returned

Why this happens: iOS Google Sign-In SDK caches tokens for performance. When a cached token is returned, it may have been generated with a different nonce (or no nonce), causing a mismatch.

The solution: The implementation automatically handles this by logging out and retrying, which forces Google to generate a fresh token with the correct nonce.

Manual Workaround (if automatic retry doesn’t work):

// Logout first to clear cached tokens
await SocialLogin.logout({ provider: 'google' });


// Then authenticate
const result = await authenticateWithGoogleSupabase();

This ensures a fresh token is obtained with the correct nonce.

For the Terminé code Référence, see the Terminé Code Référence section in the General Configuration Guide.

Important Notes

Section titled “Important Notes”

Nonce Handling

Section titled “Nonce Handling”

The nonce implementation follows the pattern from the React Natif Google Sign In Documentation:

  • rawNonce goes to Supabase’s signInWithIdToken()
  • Supabase makes a hash of rawNonce and compares it with the nonceDigest which is included in the ID token from Google Sign-In
  • nonceDigest (SHA-256 hash, hex-encoded) goes to the nonce parameter in Google Sign-In APIs

Automatic Retry Mechanism

Section titled “Automatic Retry Mechanism”

The authenticateWithGoogleSupabase function includes a retry parameter:

  • First call (retry=false): If validation fails, automatically logs out and retries once
  • Retry call (retry=true): If validation fails again, immediately returns an error

This handles the iOS token caching Problème automatically.

Dépannage

Section titled “Dépannage”

If authentication fails:

  • Nonce mismatch: The function automatically retries - Vérifier console Journaux for details. If it persists, manually Déconnexion first
  • Invalid audience: Verify your Google Client IDs match in both Google Cloud Console and Supabase (both iOS and Web client IDs)
  • Token validation fails: Ensure you’re using mode: 'online' in the initialize call to get an idToken
  • Info.plist Configuration: Ensure Info.plist has the correct URL schemes and GIDClientID
  • Review the Exemple Application code for Référence