Google One Tap Javascript API/HTML API does not return nonce in JWT in Safari

[indeewari]

Hi Team,

Summary When Google One Tap is implemented using Javascript API/HTML API including nonce, the returned JWT is missing nonce for Safari browser. Chrome and Fireforx returns the nonce as expected.

Please refer the code used.

 const initializeGSI = () => {
    google.accounts.id.initialize({
      client_id: '132-xxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com',
      cancel_on_tap_outside: false,
      nonce: '7342364',
      callback: onOneTapSignedIn
    });

Using "itp_support" did not make any change on this.

This behaviour remains same for both Javascript API and HTML API.

When "Prevent cross-site tracking" is disabled at Safari, the nonce returns and works as expected. Since Safari has this default setting, we have to request customers to disable this option to enable Google One Tap. Any workaround available ?

Browser(s)/Version(s) Safari Version 16.1 (18614.2.9.1.12)

Expected Behavior Google One Tap should return nonce in JWT when it is included in initialiaze call.

Actual Behavior Returned JWT is missing nonce even it is included at initialize

Steps to Reproduce Please include steps and code samples to aid in issue reproduction(html/javascript).

Integrate Google One Tap using Javascript API/HTML API using a nonce. Sign in via Google One Tap Check retuned JWT

 const initializeGSI = () => {
    google.accounts.id.initialize({
      client_id: '132-xxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com',
      cancel_on_tap_outside: false,
      nonce: 'y78745XXXXXXXX',
      callback: onOneTapSignedIn
    });

[somindatommy]

Facing the same issue. Anyway to resolve this?

[detj]

Facing this issue as well. Since the nonce is not returned, isn't this a glaring security issue waiting to be exploited?