iOS/Android signInWithGoogle with custom parameters, prompt for permissions not showing on iOS (scopes request), unable to get refresh token

[RaduMirceaAndrei]

Hi,

I can't seem to make the sign in process with Google work with customParameters, on either iOS or Android. The end goal is to get a Google refresh token via the sign in process and be able to mint new access tokens to use different google APIs.

My code is this:

init:

if (Capacitor.isNativePlatform()) {
                    return initializeAuth(getApp(), {
                        persistence: indexedDBLocalPersistence
                    });
                } else {
                    return getAuth();
                }

call:

FirebaseAuthentication.signInWithGoogle({
  scopes: ['https://www.googleapis.com/auth/calendar.events', 'https://www.googleapis.com/auth/calendar.readonly'], 
  customParameters: [{key: 'access_type', value: 'offline'}, {key: 'prompt', value: 'consent'}]
}).then(async signInResult => {..});

logout:

await FirebaseAuthentication.signOut().then(async () => {
                const auth = getAuth();
                await signOut(auth);
})

On web, it works always and, after the account selection and password screens, i'm shown the screen for additional scopes that i requested.

On iOS: The screen for additional permissions is not shown, the sign in process skips it. If i check the access token that i receive (https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=<access_token>) I'm only seeing the "userinfo.email", "userinfo.profile" and "openid" permissions (which makes sense given the screen with the permission request is not displayed).
It may be something that i'm not doing correctly, so i appreciate any guidance you can provide on this.

On Android: The screen is shown, however, even though a consent prompt is displayed, in firebase, a refresh token is not minted and the refresh token comes up as undefined.

I can only guess that's because of the difference in how the authentication is being handled, or parameters are not sent to google in the initial request.

I've looked at bug #209 but couldn't figure out if the feature was implemented or skipped. The bug is marked as resolved.
Also checked out the documentation and i saw that there is no support for Google customParameters for iOS or Android, and if that is indeed so, it would mean it's not possible to access any Google APIs after the initial access_token expires.

I'm hoping that i'm wrong on this one and just messing up somewhere.

Clarification of the use case:
Sign in with google and then, in firebase, in a blocking cloud function, get the google refresh token from the sign in process.

I understand that google will send the refresh token in the first auth response, only if access_type=offline is set and this is also dependent on the requested scopes.
I have assigned the correct blocking functions in the Firebase console and have ticked the boxes so that the cloud function will receive the tokens.

This will work and the user will be presented with the permissions request, and the cloud functions will receive the tokens, only on web, trough a popup authentication.
The issue is on a mobile device it will not work. The cloud functions will never receive the tokens.

This is the screen that's missing on iOS:

Thank you for your time,
Mircea

[robingenz]

Hey Mircea,
The scopes option for Google Sign-In is currently only supported on Android and Web. But I could extend the support to iOS by now (see google/GoogleSignIn-iOS#23 (comment)). Feel free to create a feature request for this.

Also checked out the documentation and i saw that there is no support for Google customParameters for iOS or Android

Yes, currently no customParameters option is supported on Android and iOS for Google Sign-In.
The reason is simply that I could not find a way so far.
On iOS, according to this issue, this is simply not possible yet: google/GoogleSignIn-iOS#112

[RaduMirceaAndrei]

Got it. Thank you. I've made a feature request for the scopes for iOS and have marked this thread as answered.

As an aside, i did find a capacitor plugin for Google authentication with customParameters (at least the access_type=offline, needed for the refresh token). Unfortunately, i know next to nothing about native development so i could not adapt it to my needs (cocoapods dependency conflicts), but perhaps, it would be helpful to you, as an implementation model.

Again, thank you for your time and help!

[robingenz]

Got it. Thank you. I've made a feature request for the scopes for iOS and have marked this thread as answered.

Thanks! I will try to include it inthe next release.

As an aside, i did find a capacitor plugin for Google authentication with customParameters (at least the access_type=offline, needed for the refresh token). Unfortunately, i know next to nothing about native development so i could not adapt it to my needs (cocoapods dependency conflicts), but perhaps, it would be helpful to you, as an implementation model.

You mean the forceCodeForRefreshToken configuration option?

[RaduMirceaAndrei]

Yes. I think their forceCodeForRefreshToken config option would translate to the google auth endpoint being called with offline_access=true.

[robingenz]

Thanks! I think it should be possible to implement this. So not any custom parameters but just this specific one (access_type=offline), since the Google Sign-In SDK seems to offer an extra option for this. May I tag you for testing once a dev version is available?

[RaduMirceaAndrei]

Yes, only access_type=offline. That, coupled with the scopes implementation extended to iOS, would be all that's needed for full support and access to Google APIs, on all platforms. Please do tag me for testing, i'd love to help!