Adding an overloaded GetCredential member function to OAuthProvider which takes a nonce, and an optional access token, closing the parity game between our OAuthProvider implementation and those of the phone SDKs.

This also opens up the use of our C++ and Unity SDK to do Apple provider signin which requires a nonce when constructing the credential.

PiperOrigin-RevId: 286431312

Author: Googler

auth/src/android/credential_android.cc

@@ -124,7 +124,12 @@ METHOD_LOOKUP_DEFINITION(twittercred,
     X(NewBuilder, "newBuilder",                                                \
       "(Ljava/lang/String;Lcom/google/firebase/auth/FirebaseAuth;)"            \
       "Lcom/google/firebase/auth/OAuthProvider$Builder;",                      \
+      util::kMethodTypeStatic),                                                \
+    X(NewCredentialBuilder, "newCredentialBuilder",                            \
+      "(Ljava/lang/String;)"                                                   \
+      "Lcom/google/firebase/auth/OAuthProvider$CredentialBuilder;",            \
       util::kMethodTypeStatic)
+
 // clang-format on
 METHOD_LOOKUP_DECLARATION(oauthprovider, OAUTHPROVIDER_METHODS)
 METHOD_LOOKUP_DEFINITION(oauthprovider,
@@ -180,6 +185,29 @@ METHOD_LOOKUP_DEFINITION(oauthprovider_builder,
                          PROGUARD_KEEP_CLASS
                          "com/google/firebase/auth/OAuthProvider$Builder",
                          OAUTHPROVIDER_BUILDER_METHODS)
+
+// clang-format off
+#define OAUTHPROVIDER_CREDENTIALBUILDER_METHODS(X)                             \
+  X(SetAccessToken, "setAccessToken",                                          \
+    "(Ljava/lang/String;)"                                                     \
+    "Lcom/google/firebase/auth/OAuthProvider$CredentialBuilder;"),             \
+  X(SetIdToken, "setIdToken",                                                  \
+    "(Ljava/lang/String;)"                                                     \
+    "Lcom/google/firebase/auth/OAuthProvider$CredentialBuilder;"),             \
+  X(SetIdTokenWithRawNonce, "setIdTokenWithRawNonce",                          \
+    "(Ljava/lang/String;Ljava/lang/String;)"                                   \
+    "Lcom/google/firebase/auth/OAuthProvider$CredentialBuilder;"),             \
+  X(Build, "build", "()Lcom/google/firebase/auth/AuthCredential;")
+// clang-format on
+
+METHOD_LOOKUP_DECLARATION(oauthprovider_credentialbuilder,
+                          OAUTHPROVIDER_CREDENTIALBUILDER_METHODS)
+METHOD_LOOKUP_DEFINITION(
+    oauthprovider_credentialbuilder,
+    PROGUARD_KEEP_CLASS
+    "com/google/firebase/auth/OAuthProvider$CredentialBuilder",
+    OAUTHPROVIDER_CREDENTIALBUILDER_METHODS)
+
 // clang-format off
 #define AUTH_IDP_METHODS(X)                                                    \
   X(StartActivityForSignInWithProvider, "startActivityForSignInWithProvider",  \
@@ -275,19 +303,21 @@ bool CacheCredentialMethodIds(
     return false;
   }
 
-  g_methods_cached = credential::CacheMethodIds(env, activity) &&
-                     emailcred::CacheMethodIds(env, activity) &&
-                     facebookcred::CacheMethodIds(env, activity) &&
-                     githubcred::CacheMethodIds(env, activity) &&
-                     googlecred::CacheMethodIds(env, activity) &&
-                     oauthprovider::CacheMethodIds(env, activity) &&
-                     oauthprovider_builder::CacheMethodIds(env, activity) &&
-                     auth_idp::CacheMethodIds(env, activity) &&
-                     user_idp::CacheMethodIds(env, activity) &&
-                     phonecred::CacheMethodIds(env, activity) &&
-                     timeunit::CacheFieldIds(env, activity) &&
-                     playgamescred::CacheMethodIds(env, activity) &&
-                     twittercred::CacheMethodIds(env, activity);
+  g_methods_cached =
+      credential::CacheMethodIds(env, activity) &&
+      emailcred::CacheMethodIds(env, activity) &&
+      facebookcred::CacheMethodIds(env, activity) &&
+      githubcred::CacheMethodIds(env, activity) &&
+      googlecred::CacheMethodIds(env, activity) &&
+      oauthprovider::CacheMethodIds(env, activity) &&
+      oauthprovider_builder::CacheMethodIds(env, activity) &&
+      oauthprovider_credentialbuilder::CacheMethodIds(env, activity) &&
+      auth_idp::CacheMethodIds(env, activity) &&
+      user_idp::CacheMethodIds(env, activity) &&
+      phonecred::CacheMethodIds(env, activity) &&
+      timeunit::CacheFieldIds(env, activity) &&
+      playgamescred::CacheMethodIds(env, activity) &&
+      twittercred::CacheMethodIds(env, activity);
 
   return g_methods_cached;
 }
@@ -303,6 +333,7 @@ void ReleaseCredentialClasses(JNIEnv* env) {
   jniphone::ReleaseClass(env);
   oauthprovider::ReleaseClass(env);
   oauthprovider_builder::ReleaseClass(env);
+  oauthprovider_credentialbuilder::ReleaseClass(env);
   phonecred::ReleaseClass(env);
   timeunit::ReleaseClass(env);
   twittercred::ReleaseClass(env);
@@ -549,6 +580,76 @@ Credential OAuthProvider::GetCredential(const char* provider_id,
   return Credential(CredentialLocalToGlobalRef(j_cred));
 }
 
+
+// static
+Credential OAuthProvider::GetCredential(const char* provider_id,
+                                        const char* id_token,
+                                        const char* raw_nonce,
+                                        const char* access_token) {
+  FIREBASE_ASSERT_RETURN(Credential(),
+                         provider_id && id_token && raw_nonce );
+  FIREBASE_ASSERT_MESSAGE_RETURN(Credential(), g_methods_cached,
+                                 kMethodsNotCachedError);
+
+  JNIEnv* env = GetJniEnv();
+  jstring j_provider_id = env->NewStringUTF(provider_id);
+  jstring j_id_token = env->NewStringUTF(id_token);
+  jstring j_raw_nonce = env->NewStringUTF(raw_nonce);
+
+  jobject j_cred_builder = env->CallStaticObjectMethod(
+      oauthprovider::GetClass(),
+      oauthprovider::GetMethodId(oauthprovider::kNewCredentialBuilder),
+      j_provider_id);
+
+  jobject j_cred = nullptr;
+  if (!firebase::util::CheckAndClearJniExceptions(env)) {
+    jobject builder_return_ref = env->CallObjectMethod(
+        j_cred_builder,
+        oauthprovider_credentialbuilder::GetMethodId(
+            oauthprovider_credentialbuilder::kSetIdTokenWithRawNonce),
+        j_id_token, j_raw_nonce);
+
+    if (!firebase::util::CheckAndClearJniExceptions(env)) {
+      env->DeleteLocalRef(builder_return_ref);
+      // add the access token, if it exists.
+      if (access_token != nullptr) {
+        jobject j_access_token = env->NewStringUTF(access_token);
+        builder_return_ref = env->CallObjectMethod(
+            j_cred_builder,
+            oauthprovider_credentialbuilder::GetMethodId(
+                oauthprovider_credentialbuilder::kSetAccessToken),
+            j_access_token);
+
+        env->DeleteLocalRef(j_access_token);
+        if (!firebase::util::CheckAndClearJniExceptions(env)) {
+          env->DeleteLocalRef(builder_return_ref);
+        } else {
+          env->DeleteLocalRef(j_cred_builder);
+          j_cred_builder = nullptr;
+        }
+      }
+    }
+
+    // If we have a valid credential builder, build a credential.
+    if (j_cred_builder != nullptr) {
+      j_cred = env->CallObjectMethod(
+          j_cred_builder, oauthprovider_credentialbuilder::GetMethodId(
+                              oauthprovider_credentialbuilder::kBuild));
+      if (firebase::util::CheckAndClearJniExceptions(env)) {
+        j_cred = nullptr;
+      }
+
+      env->DeleteLocalRef(j_cred_builder);
+    }
+  }
+
+  env->DeleteLocalRef(j_provider_id);
+  env->DeleteLocalRef(j_raw_nonce);
+  env->DeleteLocalRef(j_id_token);
+
+  return Credential(CredentialLocalToGlobalRef(j_cred));
+}
+
 // static
 Future<Credential> GameCenterAuthProvider::GetCredential() {
   // Game Center is not available on Android

auth/src/desktop/auth_providers/oauth_auth_credential.h

@@ -32,24 +32,28 @@ class OAuthCredential : public IdentityProviderCredential {
 
   std::unique_ptr<VerifyAssertionRequest> CreateVerifyAssertionRequest(
       const char* const api_key) const override {
+    const char* raw_nonce =
+        (!raw_nonce_.empty()) ? raw_nonce_.c_str() : nullptr;
     if (!id_token_.empty()) {
       return VerifyAssertionRequest::FromIdToken(api_key, provider_id_.c_str(),
-                                                 id_token_.c_str());
+                                                 id_token_.c_str(), raw_nonce);
     } else {
       return VerifyAssertionRequest::FromAccessToken(
-          api_key, provider_id_.c_str(), access_token_.c_str());
+          api_key, provider_id_.c_str(), access_token_.c_str(), raw_nonce);
     }
   }
 
  private:
   OAuthCredential(const std::string& provider_id, const std::string& id_token,
-                  const std::string& access_token)
+                  const std::string& raw_nonce, const std::string& access_token)
       : provider_id_(provider_id),
         id_token_(id_token),
+        raw_nonce_(raw_nonce),
         access_token_(access_token) {}
 
   const std::string provider_id_;
   const std::string id_token_;
+  const std::string raw_nonce_;
   const std::string access_token_;
 
   friend class OAuthProvider;

auth/src/desktop/auth_providers/oauth_auth_provider.cc

@@ -27,8 +27,21 @@ Credential OAuthProvider::GetCredential(const char* const provider_id,
                                         const char* const id_token,
                                         const char* const access_token) {
   FIREBASE_ASSERT_RETURN(Credential(), provider_id && id_token && access_token);
+  return Credential{new CredentialImpl{new OAuthCredential{
+      provider_id, id_token, /*raw_nonce=*/"", access_token}}};
+}
+
+// static
+Credential OAuthProvider::GetCredential(const char* provider_id,
+                                        const char* id_token,
+                                        const char* raw_nonce,
+                                        const char* access_token) {
+  FIREBASE_ASSERT_RETURN(Credential(), provider_id && id_token && raw_nonce);
+  if (access_token == nullptr) {
+    access_token = "";
+  }
   return Credential{new CredentialImpl{
-      new OAuthCredential{provider_id, id_token, access_token}}};
+      new OAuthCredential{provider_id, id_token, raw_nonce, access_token}}};
 }
 
 }  // namespace auth

auth/src/desktop/rpcs/request.fbs

@@ -55,6 +55,8 @@ table Request {
   photoUrl:string;
   deleteAttribute:[string];
   deleteProvider:[string];
+
+  nonce:string;
 }
 
 root_type Request;

auth/src/desktop/rpcs/verify_assertion_request.cc

@@ -45,6 +45,12 @@ VerifyAssertionRequest::VerifyAssertionRequest(const char* const api_key,
 std::unique_ptr<VerifyAssertionRequest> VerifyAssertionRequest::FromIdToken(
     const char* const api_key, const char* const provider_id,
     const char* const id_token) {
+  return FromIdToken(api_key, provider_id, id_token, /*nonce=*/nullptr);
+}
+
+std::unique_ptr<VerifyAssertionRequest> VerifyAssertionRequest::FromIdToken(
+    const char* const api_key, const char* const provider_id,
+    const char* const id_token, const char* nonce) {
   auto request = std::unique_ptr<VerifyAssertionRequest>(  // NOLINT
       new VerifyAssertionRequest{api_key, provider_id});
 
@@ -54,6 +60,10 @@ std::unique_ptr<VerifyAssertionRequest> VerifyAssertionRequest::FromIdToken(
     LogError("No id token given");
   }
 
+  if (nonce) {
+    request->post_body_ += std::string{"&nonce="} + nonce;
+  }
+
   request->application_data_->postBody = request->post_body_;
   request->UpdatePostFields();
   return request;
@@ -62,6 +72,13 @@ std::unique_ptr<VerifyAssertionRequest> VerifyAssertionRequest::FromIdToken(
 std::unique_ptr<VerifyAssertionRequest> VerifyAssertionRequest::FromAccessToken(
     const char* const api_key, const char* const provider_id,
     const char* const access_token) {
+  return FromAccessToken(api_key, provider_id, access_token,
+                                /*nonce=*/nullptr);
+}
+
+std::unique_ptr<VerifyAssertionRequest> VerifyAssertionRequest::FromAccessToken(
+    const char* const api_key, const char* const provider_id,
+    const char* const access_token, const char* nonce) {
   auto request = std::unique_ptr<VerifyAssertionRequest>(  // NOLINT
       new VerifyAssertionRequest{api_key, provider_id});
 
@@ -71,6 +88,10 @@ std::unique_ptr<VerifyAssertionRequest> VerifyAssertionRequest::FromAccessToken(
     LogError("No access token given");
   }
 
+  if (nonce) {
+    request->post_body_ += std::string{"&nonce="} + nonce;
+  }
+
   request->application_data_->postBody = request->post_body_;
   request->UpdatePostFields();
   return request;

auth/src/desktop/rpcs/verify_assertion_request.h

@@ -32,8 +32,14 @@ class VerifyAssertionRequest : public AuthRequest {
  public:
   static std::unique_ptr<VerifyAssertionRequest> FromIdToken(
       const char* api_key, const char* provider_id, const char* id_token);
+  static std::unique_ptr<VerifyAssertionRequest> FromIdToken(
+      const char* api_key, const char* provider_id, const char* id_token,
+      const char* nonce);
   static std::unique_ptr<VerifyAssertionRequest> FromAccessToken(
       const char* api_key, const char* provider_id, const char* access_token);
+  static std::unique_ptr<VerifyAssertionRequest> FromAccessToken(
+      const char* api_key, const char* provider_id, const char* access_token,
+      const char* nonce);
   static std::unique_ptr<VerifyAssertionRequest> FromAccessTokenAndOAuthSecret(
       const char* api_key, const char* provider_id, const char* access_token,
       const char* oauth_secret);

auth/src/include/firebase/auth/credential.h

@@ -224,6 +224,18 @@ class OAuthProvider {
   ///    from Android and iOS implementations).
   static Credential GetCredential(const char* provider_id, const char* id_token,
                                   const char* access_token);
+
+  /// Generate a credential for an OAuth2 provider.
+  ///
+  /// @param provider_id Name of the OAuth2 provider.
+  /// @param id_token The authentication token (OIDC only).
+  /// @param raw_nonce The raw nonce associated with the Auth credential being
+  /// created.
+  /// @param access_token The access token associated with the Auth credential
+  /// to be created, if available.  This value may be null.
+  static Credential GetCredential(const char* provider_id, const char* id_token,
+                                  const char* raw_nonce,
+                                  const char* access_token);
 };
 
 /// @brief Use phone number text messages to authenticate.

auth/src/ios/credential_ios.mm

@@ -144,6 +144,23 @@ @implementation PhoneListenerDataObjC
   return Credential(new FIRAuthCredentialPointer(credential));
 }
 
+// static
+Credential OAuthProvider::GetCredential(const char* provider_id,
+                                        const char* id_token,
+                                        const char* raw_nonce,
+                                        const char* access_token) {
+  FIREBASE_ASSERT_RETURN(Credential(), provider_id && id_token && raw_nonce);
+
+  NSString* access_token_string =
+      (access_token != nullptr) ? util::CStringToNSString(access_token) : nullptr;
+  FIRAuthCredential* credential =
+      (FIRAuthCredential*)[FIROAuthProvider credentialWithProviderID:@(provider_id)
+                                                             IDToken:@(id_token)
+                                                            rawNonce:@(raw_nonce)
+                                                         accessToken:access_token_string];
+  return Credential(new FIRAuthCredentialPointer(credential));
+}
+
 // static
 Future<Credential> GameCenterAuthProvider::GetCredential() {
   auto future_api = GetCredentialFutureImpl();