Open Lxstr opened 3 weeks ago
IdToken returned by google does not contain a hashed nonce but currently, gotrue hashes the nonce in the request and checks if it matches the nonce in the id token payload.
Therefore it is impossible to get a successful nonce check. This have been confirmed against google package which returns a success nonce check:
https://google-auth.readthedocs.io/en/master/reference/google.oauth2.id_token.html
This has also been previously mentioned here https://github.com/supabase/auth/issues/412
Bug report
Describe the bug
IdToken returned by google does not contain a hashed nonce but currently, gotrue hashes the nonce in the request and checks if it matches the nonce in the id token payload.
Therefore it is impossible to get a successful nonce check. This have been confirmed against google package which returns a success nonce check:
https://google-auth.readthedocs.io/en/master/reference/google.oauth2.id_token.html
This has also been previously mentioned here https://github.com/supabase/auth/issues/412