-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[auth-session] Create built-in providers for Google and Facebook #9361
[auth-session] Create built-in providers for Google and Facebook #9361
Conversation
* | ||
* - **Application Type**: Android Application | ||
* - **Package name**: Must match the value of `android.package` in your `app.json`. | ||
* - **Signing-certificate fingerprint**: Run `openssl rand -base64 32 | openssl sha1 -c` for the results. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably need something like expo fetch:android:hashes
instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you may already know this and i'm just misreading the comment but expo fetch:android:hashes
does this already, the value you're looking for is "Google Certificate Fingerprint"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean if you run it in any Expo project that isn't built for prod you get:
Configuring credentials for bacon in project native-component-list
There is no valid Keystore defined for this app
Effectively meaning that in dev you need to set it to one value then change it in prod or create another Google key which is worse.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current way everything is set-up, íf you want to use Google App Signing AND you want expo builds to have a different key store, you must have two google keys. Google's "recent" restrictions on those keys are weird, as almost all google systems allow for multiple values (all other android key restrictions).
And I figured out today, before seeing this PR, documented in #9391, you will need 3 separate keys anyway -- it's not thát weird to have a different key per bundle/release channel.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've just opened an issue to make the CLI return a keystore on demand without requiring a build expo/expo-cli#2456 this would effectively cut out one more key upfront for Android auth.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good idea. I don't think having to have 3-4 keys is that problematic, but the fact that the "openssl" command is cryptic as best makes this a very good win, I think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's problematic currently because currently you:
- get fake hash -> register Google key with fake hash ->
expo build
it -> get actual key -> register new Google key -> update codebase ->expo publish
again.
After this you could
- get future hash -> register Google key with real hash ->
expo build
it.
Much easier to document, test, and develop.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I think making this process for Google Play Store simpler is much much better. I did exactly what you say in the "before" list, and it's confusing if you don't know what's going on.
But that's not what I meant with it not being problematic. I meant that having a key for expo-non-google builds and google-signed builds does make sense -- so has nothing to do with the process of acquiring that key, but with the fact that we still should be able to support at least 2 keys for Android projects, 1 key for iOS and 1 key for Web.
Why?
If there can only be one Android key, non-google signed builds will no longer work, making the internal testing process far worse, and also make it much harder to have a google signed build for the play store and a expo signed build for all the other stores (amazon, samsung etc.).
Right now the real process is:
expo build
(you don't need anything other than the basic project and app.json` -- you don't need to use a fake key at the moment, you can just have this command generate it on the expo servers).expo fetch:android:hashes
to get the hash- Add a new google key with this hash, and update your project accordingly.
expo build
to get a working standalone build which won't work with app signing, but will work on non play stores / direct install
Optional for standalones:
- Upload the build to the play store to turn on App Signing and retrieve the hashes
- Add a new google key with this hash, and update your project accordingly
expo build
once more to get a working standalone build, to be used for the store
With your new proposed flow, if I understand correctly, it's:
expo build
(you don't need anything other than the basic project andapp.json
-- you don't need to use a fake key at the moment, you can just have this command generate it on the expo servers).expo fetch:android:hashes
to get the hash- Add a new google key with this hash, and update your project accordingly.
expo build
to get a working standalone build which won't work with app signing, but will work on non play stores / direct install
Optional for standalones:
- Upload the build to the play store to turn on App Signing and retrieve the hashes
- Add a new google key with this hash, and update your project accordingly
expo build
once more to get a working standalone build, to be used for the store
Or am I missing something here?
01d7c2f
to
bdbe927
Compare
* [WIP] Created basic auth-session providers * [WIP] Improved default auth flows * Remove extra features * Remove fetchUserInfoAsync * Updated doc blocks * Updated docs with google provider * Updated docs with facebook provider * Updated auth-session docs * Added getting started links to the doc blocks * Update authentication.md * Update CHANGELOG.md * Added shim for testing Firebase auth * Disable selectAccount on Facebook * Added authentication back * Updated google auth * Use implicit auth by default * Update authentication.md * Delete Firebase auth screen * Split and share code * Added comments * Remove unused files * Fix casing * revert casing * Transform casing * Fix tests * Fix unit tests * fix docs * use URL directly * eslint ignore
Hi @EvanBacon , You can validate that by click on the Create-google-app button in the docs |
I can confirm this on sdk 38. I just did a Is it documented somewhere when to use |
I tried to follow this guide:
|
I did too :) But if you look here https://github.com/expo/expo/blob/master/packages/expo-auth-session/CHANGELOG.md the new provider features are in version v1.5.0 and that has not been released yet for the 38 sdk. Im not sure if it can be cherry-picked to the |
Why
expo-google-app-auth
andexpo-google-sign-in
.How
Introduce the
response.authentication
property which gets initialized when an auth request finishes withresponse.params.access_token
. This is the sameTokenResponse
that would be returned from exchanging an auth code for an access token.Created built-in providers:
discovery
,scopes
,useProxy
,usePKCE
, andredirectUri
logic away (with ability to overwrite the abstraction). The abstraction helps the docs to focus more on provider setup rather than Expo configuration.Google
Docs: https://github.com/expo/expo/blob/@evanbacon/auth-session/providers/google-init/docs/pages/guides/authentication.md
No need for
useProxy
to be defined because the request will automatically use it in the Expo client and disable it elsewhere.Discovery is built-in.
windowDimensions are built-in.
In native projects the auth code will be automatically exchanged for an access token.
Automatically generate async nonce parameter and add it to the loading hook's pipeline.
Google Firebase
Firebase requires the id_token to be properly created. On native this can be achieved using the standard authentication, but on web you can only get the id_token when the
response_type=id_token
is used. Because of this I've reluctantly created an extension ofGoogle.useAuthRequest
which switches the response type on web or when using the proxy service.Facebook
General
AuthSession.useAuthRequest
or with other properties.Facebook.useAuthRequest({}, { useProxy: true })
config.shouldAutoExchangeCode
Test Plan
Updated NCL tests to reflect the changes.