feat: allow providing custom nonce

[vonovak]

Uses: openid/AppAuth-iOS#788. Motivation is explained there and also in issue #135

Fixes: #135

Supersedes: #244. It takes a slightly different approach where nonce is not provided via GIDConfiguration but via a parameter to signInWithPresentingViewController/Window

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[mdmathias]

@vonovak did you sign the CLA? I can take a look at the PR after you confirm.

[vonovak]

hello @mdmathias yes I did! :)

[vonovak]

hello @mdmathias, would you please re-review the PR? Thank you! 🙂

[GNUGradyn]

Can we get this merged? This issue is blocking my app

[NorseGaud]

Bumpziez

[mdmathias]

@vonovak could you take a look at the test failures? An example:

- WARN | xcodebuild: /Users/runner/work/GoogleSignIn-iOS/GoogleSignIn-iOS/GoogleSignIn/Tests/Unit/OIDAuthorizationRequest+Testing.h:23:17: warning: pointer is missing a nullability type specifier (_Nonnull, _Nullable, or _Null_unspecified) [-Wnullability-completeness]

[vonovak]

@mdmathias can you re-run the workflows? TY 🙂

[elyobo]

Tests all passing @mdmathias 👀

[vonovak]

@mdmathias may I ask if there's anything blocking this PR from merging? The discussion is resolved and CI is green.
Is there anything we're waiting for?
Thank you

[brnnmrls]

Update to those using Google Sign-In 8.1.0-vwg-eap-1.0.x to fix this issue, you should know that we are getting rid of these pre-releases soon. Please use official release Google Sign-In 9.0.0 instead.

[vonovak]

Update to those using Google Sign-In 8.1.0-vwg-eap-1.0.x to fix this issue, you should know that we are getting rid of these pre-releases soon. Please use official release Google Sign-In 9.0.0 instead.

@brnnmrls Can you please clarify what you mean by that? That version has been published more than half a year ago, and people depend on it. It's also about compatibility with other libraries like firebase, not everybody can upgrade to latest right away.

Thank you

[brnnmrls]

Update to those using Google Sign-In 8.1.0-vwg-eap-1.0.x to fix this issue, you should know that we are getting rid of these pre-releases soon. Please use official release Google Sign-In 9.0.0 instead.

@brnnmrls Can you please clarify what you mean by that? That version has been published more than half a year ago, and people depend on it. It's also about compatibility with other libraries like firebase, not everybody can upgrade to latest right away.

Thank you

I appreciate you raising this! We recognize that many clients, particularly with dependencies like Firebase, are using 8.1.0-vwg-eap-1.0.0 and may face difficulties upgrading immediately.

However, these versions were always temporary pre-releases. As pre-releases, they inherently carried the risk of change or eventual deprecation, even if they included the fix for the NONCE issue. Google Sign-In 9.0.0 is our stable, long-term solution. We've notified clients via GitHub and email, and our strong recommendation is to migrate to version 9.0.0 for stable, supported functionality.

[vonovak]

@brnnmrls okay, can you please give a timeline for this?

However, these versions were always temporary pre-releases.

The release notes didn't say these versions were "temporary"; please document that next time you have these intentions. Personally, I find the idea of publishing something "temporarily" odd but that's for a different discussion.

Thank you

[brnnmrls]

@brnnmrls okay, can you please give a timeline for this?

However, these versions were always temporary pre-releases.

The release notes didn't say these versions were "temporary"; please document that next time you have these intentions. Personally, I find the idea of publishing something "temporarily" odd but that's for a different discussion.

Thank you

Apologies for the confusion! By "temporary," I meant that, as pre-releases, they inherently carried the risk of being changed, having their APIs evolve, or eventually being deleted. This differs from our official, stable releases. Though, we understand many clients came to rely on these. Yes, we'll do a better job at documenting the lifecycle and potential for deletion of any future pre-releases.

As for timeline, we plan to remove these pre-releases from GitHub by July 18th.

As far as I know, migrating to Google Sign-In 9.0.0 should largely involve simply updating the dependency. There were no critical API changes in the major release affecting core Sign-In functionality. However, macOS users will need to add $(AppIdentifierPrefix)$(CFBundleIdentifier) to their keychain access group for credential storage (ref).

If you have further information on how we can help make this a smoother process for your team, please let me know.

[vonovak]

@brnnmrls

By "temporary," I meant that, as pre-releases, they inherently carried the risk of being changed, having their APIs evolve, or eventually being deleted.

Pre-release software carries the risk of being broken, unstable or changed (that goes for any software) - I agree.

But I'm having hard time seeing why software that's out there and depended on would be removed, and to have that happen in 2 weeks after you publish the next stable - I'm sorry but can we make that at least 2 months (pretty please)?

In some ecosystems, unpublishing packages isn't possible unless there's a security reason for that.

Not that it matters, but I find it anecdotal that it took ~ 22 months since my original PR in AppAuth-iOS for the nonce feature to make into a stable release and now it'll be 2 weeks to migrate. It's not a problem for me, but it could be for a lot of others. Please give more time to migrate.

eidt: I hope we're talking about the same thing. Are you talking about removing the release from cocapods? (that's what I'm talking about). You mentioned removing from GitHub. I dont' care about GitHub releases, I care about the cocoapods.

Thank you ❤️

[brnnmrls]

But I'm having hard time seeing why software that's out there and depended on would be removed, and to have that happen in 2 weeks after you publish the next stable - I'm sorry but can we make that at least 2 months (pretty please)?

I hear your concern about the timeline and the impact of removing those pre-releases. We definitely want to find the best transition for everyone, especially given the dependencies involved.

I'm going to discuss this directly with my team and will get back to you with an update next week.

Thanks for sharing!

[brnnmrls]

Responding with an update! We're delaying the removal of these pre-releases until two months after the 9.0.0 release was made. As a reminder, developers will need to migrate off of these pre-releases by early September.

eidt: I hope we're talking about the same thing. Are you talking about removing the release from cocapods? (that's what I'm talking about). You mentioned removing from GitHub. I dont' care about GitHub releases, I care about the cocoapods.

@vonovak Replying to your edit, the releases will be removed from both GitHub and CocoaPods.

Thanks for your help!

[NorseGaud]

Woo, it's an early Christmas!

[vonovak]

@brnnmrls thank you, much appreciated! 🙏

[brnnmrls]

Hey everyone!

This is a final reminder that these pre-releases will be removed very soon from GitHub and CocoaPods. If you haven't already, please migrate to the official 9.0.0 release, which is our stable, long-term solution.

Thanks!

[vonovak]

@brnnmrls would you please consider releasing the previous EAP with custom nonce as a stable version 8.1?

Version 9 comes with issues: #547 and openid/AppAuth-iOS#933, which I'm seeing reports of only after switching to v9.

These are no public reproducers of those issues, but they are happening and forcing people to downgrade to v8 (without this feature), or use broken v9.

Thank you

[joannetsaii]

Hi @vonovak, the team is currently investigating issue #547 and will provide an update here once we have a solution or decided to do another release for this fix.

[Chiratna]

Hey @joannetsaii .
We have been experiencing #547 with our mobile app and it started to pop out after the upgrade to 9.0.0. The crash seems to haven everytime we are redirected to external browser for login.

Some interesting observations that we have had :

1. The issue of being redirected is very prominent on ios18 but not on ios26. We tried reproducing it on ios26 but even after several attempts we were never getting redirected.
2. On ios18, some how the first sign in attempt doesnt redirects, but subsequesnt sign in attempts does. Again very typical to ios 18, not being able to replicate this to ios 26 as of now.
3. On IOS 18, I sign in... went inside my app... signed out and I quickly try to sign in again... I am getting redirected... but lets say I sign out and I try to sign in again but after sometime... I am not getting redirected.

I find these behaviours very weird and I am not able to link them. But wanted to flag out my findings in case it helps.

[vonovak]

@joannetsaii @brnnmrls hello, could you please please release the previous EAP with custom nonce as a stable version 8.1?

The issue #547 is now open for more than 2 months with no resolution. People are forced to downgrade to v8 (without custom nonce), or use broken v9. Can we please get that stable released?
The custom nonce feature is already released in the (buggy) stable v9.0 without any changes from the EAP version so I don't see why releasing v8.1 would be an issue.
Thank you!