The nonce value is used to prevent replay attacks and while it's not explicitly required, it's recommended to use it wherever possible. However, if the Google SDK you're using doesn't support it, you can still proceed without it. Here are the steps to integrate the Google SDK with Ory without the nonce: 1. Configure a Google social sign-in provider in Ory using the same

client_id

as used in your native app. 2. Optional: Android apps generate different token audiences per distribution (debug, release, etc.). You can add the ID of your current distribution to the

additional_id_token_audiences

field. Example:

sh.ory.network-example-ios.debug

. 3. Obtain an

id_token

from Google using the Google SDK. 4. Submit the

id_token

as part of the

updateRegistrationFlow

or

updateLoginFlow

request to Ory. 5. Ory will validate the

id_token

and create an identity and optionally a session (if configured). Here is a Flutter code example for the Google sign-in process without the nonce:

dart
import 'package:flutter/material.dart';  
import 'package:google_sign_in/google_sign_in.dart';  
import 'package:one_of/one_of.dart';  
import 'package:ory_client/ory_client.dart';  
  
class SignInWithGoogleButton extends StatelessWidget {  
  final String flowId;  
  final OryClient ory;  
  
  final GoogleSignIn _googleSignIn = GoogleSignIn(  
    scopes: [  
      'email',  
      // Add additional scopes, if you require that data in your Jsonnet mapping  
    ],  
  );  
  
  SignInWithGoogleButton({super.key, required this.flowId, required this.ory});  
  
  void handleGoogleSignIn(GoogleSignInAccount? value) {  
    value?.authentication.then((value) {  
      var idToken = value.idToken;  
      if (idToken == null) {  
        // If we end up here, but there is no ID token, something went wrong  
        print("No idToken found");  
        return;  
      }  
  
      // Create the payload for the updateRegistrationFlow endpoint with the idToken from Google  
      var body = UpdateRegistrationFlowWithOidcMethod(  
        (b) => b  
          ..idToken = idToken  
          ..method = 'oidc'  
          ..provider = 'google',  
      );  
  
      // Submit the updateRegistrationFlow endpoint with the payload  
      ory.getFrontendApi().updateRegistrationFlow(  
            flow: flowId,  
            updateRegistrationFlowBody: UpdateRegistrationFlowBody(  
                (b) => b..oneOf = OneOf.fromValue1(value: body)),  
          );  
    });  
  }  
  
  @override  
  Widget build(BuildContext context) {  
    return TextButton(  
      child: const Text("Sign in with Google"),  
      onPressed: () => {_googleSignIn.signIn().then(handleGoogleSignIn)},  
    );  
  }  
}

Please note that Ory does not communicate directly with Google during this flow and does not have access to the Access & Refresh Tokens. This means that Ory cannot return these in the admin APIs or SDK.

The nonce value is used to prevent replay attacks and while it's not explicitly required, it's recommended to use it wherever possible. However, if the Google SDK you're using doesn't support it, you can still proceed without it. Here are the steps to integrate the Google SDK with Ory without the nonce: 1. Configure a Google social sign-in provider in Ory using the same

client_id

as used in your native app. 2. Optional: Android apps generate different token audiences per distribution (debug, release, etc.). You can add the ID of your current distribution to the

additional_id_token_audiences

field. Example:

sh.ory.network-example-ios.debug

. 3. Obtain an

id_token

from Google using the Google SDK. 4. Submit the

id_token

as part of the

updateRegistrationFlow

or

updateLoginFlow

request to Ory. 5. Ory will validate the

id_token

and create an identity and optionally a session (if configured). Here is a Flutter code example for the Google sign-in process without the nonce:

dart import 'package:flutter/material.dart';   import 'package:google_sign_in/google_sign_in.dart';   import 'package:one_of/one_of.dart';   import 'package:ory_client/ory_client.dart';      class SignInWithGoogleButton extends StatelessWidget {     final String flowId;     final OryClient ory;        final GoogleSignIn _googleSignIn = GoogleSignIn(       scopes: [         'email',         // Add additional scopes, if you require that data in your Jsonnet mapping       ],     );        SignInWithGoogleButton({super.key, required this.flowId, required this.ory});        void handleGoogleSignIn(GoogleSignInAccount? value) {       value?.authentication.then((value) {         var idToken = value.idToken;         if (idToken == null) {           // If we end up here, but there is no ID token, something went wrong           print("No idToken found");           return;         }            // Create the payload for the updateRegistrationFlow endpoint with the idToken from Google         var body = UpdateRegistrationFlowWithOidcMethod(           (b) => b             ..idToken = idToken             ..method = 'oidc'             ..provider = 'google',         );            // Submit the updateRegistrationFlow endpoint with the payload         ory.getFrontendApi().updateRegistrationFlow(               flow: flowId,               updateRegistrationFlowBody: UpdateRegistrationFlowBody(                   (b) => b..oneOf = OneOf.fromValue1(value: body)),             );       });     }        @override     Widget build(BuildContext context) {       return TextButton(         child: const Text("Sign in with Google"),         onPressed: () => {_googleSignIn.signIn().then(handleGoogleSignIn)},       );     }   }

Please note that Ory does not communicate directly with Google during this flow and does not have access to the Access & Refresh Tokens. This means that Ory cannot return these in the admin APIs or SDK. For more information, you can refer to the [Ory Kratos Google SDK integration documentation](https://www.ory.sh/docs/kratos/social-signin/google#using-the-google-sdk-on-native-apps).

I understand your concern. The nonce is indeed an important part of the OpenID Connect protocol and is used to mitigate replay attacks. However, if the Google SDK you're using doesn't provide a nonce, it might be challenging to include it in your request. In the Ory Kratos API, the nonce is included in the

updateRegistrationFlow

and

updateLoginFlow

methods. If the nonce is not provided, these methods might still work, but it's not guaranteed as the nonce is a crucial part of the OpenID Connect protocol. Here's an example of how the nonce is included in the request:

dart var body = UpdateRegistrationFlowWithOidcMethod(     (b) => b       ..idToken = idToken       ..idTokenNonce = 'some-value'  // Include the nonce here     ..method = 'oidc'       ..provider = 'google',   );

However, if the nonce is not available from the Google SDK, you might not be able to include it in your request. In this case, you might want to consider using a different SDK or library that supports the nonce. Please note that disabling the nonce check in Ory is not recommended and might not be possible, as it's a crucial part of the OpenID Connect protocol and is used to ensure the security of the authentication process. For more information, you can refer to the [Ory Kratos API documentation](https://www.ory.sh/docs/kratos/reference/api) and the [OpenID Connect Core documentation](https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes).