Search code examples
flutteroauthgoogle-signinsupabase

Why Both Web and Android Client IDs needed for Google authn using Supabase on Flutter?

My question is for educational purposes because I got the thing working, but wanted to know why and how.

I wanted to setup Google Authentication (Authn) using Supabase for my Flutter app. Following This Tutorial, I was able to get the Sign in with Google working with my Flutter app, but for that I needed to setup,

For my dev flavor app

  1. A GCP project myapp-gcp-dev
  2. Consent screen on GCP Credentials with auth domain 1 supabase_project_name.supabase.co
  3. Web Client ID and Client Secret with Auth direct URL https://supabase_project_name.supabase.co/auth/v1/callback
  4. Android Client ID with package name com.myteam.myapp.dev and SHA1 ..... for dev flavor

My questions,

  • A) Although I only need google auth for my flutter app (no web), why do I need to setup the Client ID (for OAuth) and Client Secret (for OAuth) in the supabase dashboard? - I used the two values generated when generating the web client credential in GCP for this.

  • B) Without the above, only putting the Android client ID generated from GCP console, in the Authorized Client IDs (for Android, One Tap, and Chrome extensions) in supabase console doesn't work - throws an exception on flutter when try to google login. What additional functionality is enabled by putting the client secret that allows (A) to work?

  • C) What's the meaning of "Google sign in on Android will work without providing the Android" below? I got the code from Official Supabase Docs

Future<AuthResponse> _googleSignIn() async {
    /// TODO: update the Web client ID with your own.
    ///
    /// Web Client ID that you registered with Google Cloud.
    const webClientId = 'my-web.apps.googleusercontent.com';

    /// TODO: update the iOS client ID with your own.
    ///
    /// iOS Client ID that you registered with Google Cloud.
    const iosClientId = 'my-ios.apps.googleusercontent.com';

    // Google sign in on Android will work without providing the Android
    // Client ID registered on Google Cloud.

    final GoogleSignIn googleSignIn = GoogleSignIn(
      clientId: iosClientId,
      serverClientId: webClientId,
    );
Solution

  • Google designed its OAuth authentication to require both the Android client ID and the web client ID for performing Google sign-in on Android. I do agree that it's counter intuitive to require the web client ID for OAuth on Android, but it's how Google implemented it, and there is nothing we can do about it as a user using it.