Supabase Google Login on iOS

Introduction

This guide will help you integrate Google Sign-In with Supabase Authentication on iOS. It is assumed that you have already completed:

• the Google Login iOS setup
• the Supabase Google Login - General Setup.

Implementation

The complete implementation is available in the example app’s supabaseAuthUtils.ts file. This guide explains the key concepts and how to use it.

Using the Authentication Helper

The authenticateWithGoogleSupabase function handles the entire authentication flow:

import { authenticateWithGoogleSupabase } from './supabaseAuthUtils';

const result = await authenticateWithGoogleSupabase();
if (result.success) {
  console.log('Signed in:', result.user);
  // Navigate to your authenticated area
} else {
  console.error('Error:', result.error);
}

How It Works

For a detailed explanation of how the authentication flow works, including nonce generation, JWT validation, and Supabase sign-in, see the How It Works section in the General Setup guide.

Important Caveats

iOS Token Caching and Nonce Issues

iOS Nonce Caching Issue

On iOS, Google Sign-In can cache tokens, which may cause the nonce validation to fail. The validateJWTToken function detects this and automatically handles it:

1. Automatic Detection: The function checks if the nonce in the token matches the expected nonceDigest
2. Automatic Retry: If validation fails, it automatically logs out from Google and retries once
3. Error Handling: If the retry also fails, an error is returned

Why this happens: iOS Google Sign-In SDK caches tokens for performance. When a cached token is returned, it may have been generated with a different nonce (or no nonce), causing a mismatch.

The solution: The implementation automatically handles this by logging out and retrying, which forces Google to generate a fresh token with the correct nonce.

Manual Workaround (if automatic retry doesn’t work):

// Logout first to clear cached tokens
await SocialLogin.logout({ provider: 'google' });

// Then authenticate
const result = await authenticateWithGoogleSupabase();

This ensures a fresh token is obtained with the correct nonce.

For the complete code reference, see the Complete Code Reference section in the General Setup guide.

Important Notes

Nonce Handling

The nonce implementation follows the pattern from the React Native Google Sign In documentation:

• rawNonce goes to Supabase’s signInWithIdToken()
• Supabase makes a hash of rawNonce and compares it with the nonceDigest which is included in the ID token from Google Sign-In
• nonceDigest (SHA-256 hash, hex-encoded) goes to the nonce parameter in Google Sign-In APIs

Automatic Retry Mechanism

The authenticateWithGoogleSupabase function includes a retry parameter:

• First call (retry=false): If validation fails, automatically logs out and retries once
• Retry call (retry=true): If validation fails again, immediately returns an error

This handles the iOS token caching issue automatically.

Troubleshooting

If authentication fails:

• Nonce mismatch: The function automatically retries - check console logs for details. If it persists, manually logout first
• Invalid audience: Verify your Google Client IDs match in both Google Cloud Console and Supabase (both iOS and Web client IDs)
• Token validation fails: Ensure you’re using mode: 'online' in the initialize call to get an idToken
• Info.plist configuration: Ensure Info.plist has the correct URL schemes and GIDClientID
• Review the example app code for reference