Currently the signIn() method accepts 0 arguments; looks like it automatically generates its own nonce internally before calling the Android Credential Manager.
This works for basic client-side authentication, but it creates a roadblock for applications that use a secure backend server, like Supabase, Firebase, or custom implementations, which mandate strict OIDC replay protection. Such backends require the client to generate a cryptographically secure (e.g., SHA-256) nonce, hash it pass the hash to Google during the sign-in request, and then send the raw, unhashed nonce directly to the backend for verification alongside the ID token.
Because the plugin automatically generates and hashes its own internal nonce, the client application has no way to retrieve that raw nonce to pass to the backend, causing the backend verification to fail.
Could there be added an overloaded signIn(String nonce) method, or something like that?
Currently the
signIn()method accepts 0 arguments; looks like it automatically generates its own nonce internally before calling the Android Credential Manager.This works for basic client-side authentication, but it creates a roadblock for applications that use a secure backend server, like Supabase, Firebase, or custom implementations, which mandate strict OIDC replay protection. Such backends require the client to generate a cryptographically secure (e.g., SHA-256) nonce, hash it pass the hash to Google during the sign-in request, and then send the raw, unhashed nonce directly to the backend for verification alongside the ID token.
Because the plugin automatically generates and hashes its own internal nonce, the client application has no way to retrieve that raw nonce to pass to the backend, causing the backend verification to fail.
Could there be added an overloaded signIn(String nonce) method, or something like that?