[google_sign_in] Redesign API for current identity SDKs

[stuartmorgan-g]

This is a full overhaul of the google_sign_in API, with breaking changes for all component packages—including the platform interface. The usual model of adding the new approach while keeping the old one is not viable here, as the underlying SDKs have changed significantly since the original API was designed. Web already had some only-partially-compatible shims for this reason, and Android would have had to do something similar; see flutter/flutter#119300 and flutter/flutter#154205, and the design doc for more background.

• Fixes [google_sign_in] Rework google_sign_in to reflect changes in underlying SDKs flutter#119300
• Fixes [google_sign_in] Switch Android to Credential Manager flutter#154205
• Fixes [google_sign_in_web] Enable incremental authorization for Code Model. flutter#139406
• Fixes [google_sign_in_android] Remove deprecated API usages in most recent version of play-services-auth flutter#150365
• Fixes [google_sign_in_web] Remove deprecated signIn method. flutter#137727
• Fixes [google_sign_in] Implement canAccessScopes on mobile flutter#124206
• Fixes google_sign_in plugin links to obsolete documentation for web flutter#117794
• Fixes [google_sign_in] Android documentation is wrong flutter#107532
• Fixes [google_sign_in] Support passing a nonce flutter#85439
• Fixes [google_sign_in] java.lang.NullPointerException: Attempt to read from field [...] on a null object reference flutter#74308
• Fixes [google_sign_in] Add future that completes when the plugin is (really) ready. flutter#71607
• Fixes [google_sign_in_web] googleSignIn.signIn() hangs forever if can't connect to apis.google.com flutter#70427
• Fixes [google_sign_in] better error handling flutter#32441 (there may be more to do here over time, since we may find exceptions that are not caught, but we now have a structured system to convert errors to as we find specific unhandled cases)

Pre-Review Checklist

• I read the Contributor Guide and followed the process outlined there for submitting PRs.
• I read the Tree Hygiene page, which explains my responsibilities.
• I read and followed the relevant style guides and ran the auto-formatter.
• I signed the CLA.
• The title of the PR starts with the name of the package surrounded by square brackets, e.g. [shared_preferences]
• I linked to at least one issue that this PR fixes in the description above.
• I updated pubspec.yaml with an appropriate new version according to the pub versioning philosophy, or I have commented below to indicate which version change exemption this PR falls under¹.
• I updated CHANGELOG.md to add a description of the change, following repository CHANGELOG style, or I have commented below to indicate which CHANGELOG exemption this PR falls under¹.
• I updated/added any relevant documentation (doc comments with ///).
• I added new tests to check the change I am making, or I have commented below to indicate which test exemption this PR falls under¹.
• All existing and new tests are passing.

Footnotes

1. Regular contributors who have demonstrated familiarity with the repository guidelines only need to comment if the PR is not auto-exempted by repo tooling. ↩ ↩² ↩³

[camsim99]

Reviewed the Android implementation!

[camsim99]

So if useButtonFlow is true, then basically the other options are ignored? Would it be helpful to warn users here about that?

[stuartmorgan-g]

I've added a wrapper class at this layer and the Pigeon layer that encapsulate the options that are specific to the non-button flow, and also added some docs, to make things clearer.

[stuartmorgan-g]

I've reworked the API here and at the Pigeon layer to put the options specific to non-button-flow in a class, and added comments, to make it clearer what doesn't apply. (When I first wrote this code I didn't use the button flow, so the flat arguments made sense.)

[camsim99]

Ok cool this is much clearer, thank you!

[camsim99]

Nit: could throw an exception to ensure it's not called.

[stuartmorgan-g]

Added fail() to all of these, and adjusted the comment slightly to explain why.

[camsim99]

Can we consider linking to the credentials docs on this? https://developer.android.com/identity/sign-in/credential-manager-siwg#set-google for the non-firebase option? If it's more confusing than helpful because some steps don't apply, maybe not though.

[stuartmorgan-g]

By the time I was updating the READMEs I was so used to skipping down to the code on that page I forgot it had setup instructions! I've adjusted to link to that as the non-Firebase option, and removed some of the details since they are covered more thoroughly there.

[camsim99]

Hahaha totally understandable! LGTM!

[camsim99]

The Android implementation LGTM!

[camsim99]

Ok cool this is much clearer, thank you!

[camsim99]

Hahaha totally understandable! LGTM!

[stuartmorgan-g]

@LongCatIsLooong / @cbracken Ping on the iOS portion of this review.

[stuartmorgan-g]

@bparrishMines Could you review the platform interface and app-facing package changes?

[LongCatIsLooong]

As someone that's new to this plugin, thanks for the design doc! I still have a few questions after reading the doc.

[LongCatIsLooong]

nit: this sounds like there are platforms other than web where user interactions are required for Authorization request. Is that the case? How do I know which of the platforms my app targets have such restriction?

[LongCatIsLooong]

supportsAuthenticate? But that's for authentication I assume?

[LongCatIsLooong]

Hmm this reminds me of flutter/flutter#168100, if the user connects / disconnects a mouse / keyboard on Android the activity will restart and that would result in the element tree being re-inflated anew.

I guess that does not break the new flow (from reading the docs initialize has to be called exactly once in a program) since the new activity will spin up a new dart vm? Still it would be an annoyance that every time I unplug my keyboard I have to go over the sign-in process again.

[LongCatIsLooong]

Or when the activity restarts, the lightweight authentication path will be taken and the flow will typically be invisible to user / require no additional user interactions?

EDIT: Just read the design doc and it mentioned "Fully silent sign in is no longer available"

[LongCatIsLooong]

uber nit, consider making user and authorization final if possible?

[LongCatIsLooong]

nit: missing backticks / square brackets around UnsupportedError?

[LongCatIsLooong]

his -> is

[LongCatIsLooong]

Are these classes needed? It seems the sealed type is a glorified GoogleSignInAccount?.

[LongCatIsLooong]

is this still nonnull?

[LongCatIsLooong]

I assume the user argument is not nullable, otherwise it's failing silently?

[LongCatIsLooong]

can userId be null?

[LongCatIsLooong]

The signOut method seems to only sign out the current user: https://developers.google.com/identity/sign-in/ios/reference/Classes/GIDSignIn

Why do we have to remove everything in the dictionary? If refreshedAuthorizationTokensForUser gets called for a different user (is that possible`?) the app would get an error it seems?