[google_sign_in] adds option to re-authenticate on google silent sign in

[ThetaSinner]

Adds an optional paramter to the signInSilently method which allows the application using the plugin to decide whether re-authentication should be attempted.

Fixes #88556

Pre-launch Checklist

• I read the Contributor Guide and followed the process outlined there for submitting PRs.
• I read the Tree Hygiene wiki page, which explains my responsibilities.
• I read and followed the relevant style guides and ran the auto-formatter. (Note that unlike the flutter/flutter repo, the flutter/plugins repo does use dart format.)
• I signed the CLA.
• The title of the PR starts with the name of the plugin surrounded by square brackets, e.g. [shared_preferences]
• I listed at least one issue that this PR fixes in the description above.
• I updated pubspec.yaml with an appropriate new version according to the pub versioning philosophy.
• I updated CHANGELOG.md to add a description of the change.
• I updated/added relevant documentation (doc comments with ///).
• I added new tests to check the change I am making or feature I am adding, or Hixie said the PR is test exempt.
• All existing and new tests are passing.

[stuartmorgan]

Thanks for the submission!

@ditman Are you familiar with this portion of the API in order to review?

[ditman]

@ditman Are you familiar with this portion of the API in order to review?

@stuartmorgan not with the native implementations. I'm almost sure that this would do nothing special on the web, since signInSilently there only makes sense right after the initialization of the plugin, where the currently "recognized" user may be returned (see here).

@ThetaSinner have you verified this change has the desired behavior in the other platforms? I can't find any information about reauthentication in web (I think it's handled automatically by the JS SDK) or iOS.

(Overall, this doesn't seem dangerous to merge, I'm wondering if more needs to be done across all platforms to achieve the same functionality)

[ThetaSinner]

Hi @ditman, I haven't tested iOS because I don't have a MacBook or iOS device (or any emulation set up) but I'm happy to give web a try to see how it behaves. I don't have access to my development environment today or tomorrow but I will take a look Sunday/Monday

[ditman]

Thanks @ThetaSinner! As I said, in web I'm not sure that calling signInSilently multiple times will cause the same effect as in android, but that's a gap that can be filled later. We just need to confirm it, so we can document the difference across platforms.

[ThetaSinner]

Looks like you're right about the web behaviour, the existing login is used to build the response to signInSilently.

The underlying JavaScript library does not discuss ID tokens (that I have seen!). The signIn method it provides is interactive.

It doesn't look like working quietly with ID tokens on web will work without a change to the google-api-javascript-client library. I don't need it so I'm happy with documented differences. Would you like me to find somewhere for that to go and add it to this PR?

[ditman]

The web version is going to need a bunch of rewriting soonish, that might change things. In the meantime, let's do this. I think the web version re-authenticates automatically, so as long as one always requests the current identity from the JS code, the token will always be valid (at least, that's my operating assumption :P)

[ditman]

LGTM! Let me find somebody from the iOS team to verify that this won't hurt there!

[cyanglaz]

LGTM on iOS

[ditman]

Thanks for the super-late review @cyanglaz !!

[Bharathh-Raj]

Hey @ThetaSinner, I wanted fresh idToken whenever i sign in. So I used this signInSilently method with reAuthenticate param as true. But I keep on getting the same idToken even after using this.

[ThetaSinner]

Hi @Bharathh-Raj,

This is the code I use

await _googleSignIn.signInSilently(
        reAuthenticate: true, suppressErrors: false);

I believe the API will not give you a new ID token unless your current ID token is about to expire (less than 5 minutes remaining?) OR your ID token has expired and your REFRESH token is still valid.

You can check this by grabbing your own ID token and decoding it locally.

If this isn't the answer to your problem then feel free to tag me in a new issue on your project and I'll see if I can help out

[Bharathh-Raj]

So the OAuth API itself won't give us new idtoken unless it is about to/did expire? Is there any way to force the api to respond with new id token whenever I request? I'm using a service which have just 60 seconds window time to validate.