googlewebcomponents / google-signin Goto Github PK

Hi guys,

I have a question:
Is it possible to inject the client-id later using JS/Polymer?
I tried data binding the client-id into the google-signin element.
This breaks the login.

I want to create an app where all settings are in a different settings.js file.
The client-id I use personally, can't be used by other apps, because it is set to my URL in the api console.
But still it would be nice to separate this from the element declaration, to ensure better portability.

I really love Polymer.
Keep it up!

The Spreadsheets API for example doesn't require it. Throwing an exception means this element can't be used for that API.

Can you fire an error event instead?

We may want to consider offering a UI-less version of google-signin, or at least some more choice in how that UI is presented, e.g. by letting the user pass in the UI content.

Currently there is no attribute available for adding a state parameter (CSRF). The pattern I have been using is the round trip the state parameter through the first call, then keep it through the rest of the hybrid auth process. This could possibly tie into adding support for the hybrid process, although I do not know if that is considered out of scope for this element. If this support can be added, however, this element would also need an ability to set 'postmessage' appropriately as well as sending a request to the application server to have it verify the token. Refreshing the token would be necessary as well.

Storing an array of scopes is a bit flaky as it only accounts for calls made in the same session (See here and here.)

Either call gapi.auth.getToken() or hit the Tokeninfo endpoint. Note that due to a feature limitation, checking scopes might not be synchronized if they modified on another client (like on Android or iOS.) The only way to fully know is to try and to authorize.

Pretty self-explanatory, but on the demo page when you click the Signin button, the Auth dialog displays the origin_mismatch error, as seen below.

scope=profile
response_type=code token id_token gsession
redirect_uri=postmessage
cookie_policy=single_host_origin
proxy=oauth2relay262204436
state=781497841|0.209304072
origin=https://googlewebcomponents.github.io
include_granted_scopes=true
client_id=1054047045356-j8pgqgls9vdef3rl09hapoicumbte0bo.apps.googleusercontent.com

I implemented the google-signin element in my custom element. It works fine on the browser, but fails to work in hybrid app build on phonegap. The error that I got is as follows

Uncaught gapi.auth2.ExternallyVisibleError: Invalid cookiePolicy        cb=gapi.loaded_0:119
Uncaught TypeError: Cannot read property 'signIn' of undefined          google-signin.html:551
Polymer.signIn                                                          google-signin.html:551
  events.dispatchMethod                                                 polymer.js:9131
  (anonymous function)                                                  polymer.js:10715

I am not sure why auth is undefined here, it seems as if the gapi library is not initializing. I could be wrong.

Add a note to the description of the element, that multiple scopes should be space-delimited.

I keep getting this error when trying to sign out:

Uncaught TypeError: Cannot read property 'clear' of nullcb=gapi.loaded_0:473 
Fscb=gapi.loaded_0:493 
jxcb=gapi.loaded_0:503 
(anonymous function)google-signin.html:641 
Polymer.signOutevents.js:40 
events.dispatchMethodevents.js:73 
events.getEventHandler

I get origin_mismatch when I click Authorize on this page:

I'm running a test server on localhost and getting the XMLHTTPRequest error outlined here http://stackoverflow.com/questions/24894369/google-fonts-api-and-polymer-cors-issues. Should this component load the font by using font-roboto rather than using the link href?

When I add the button to my page, the following error appears:

Cross Origin policy aside (I'm assuming that is because of localhost), I'm wondering why the error below that appears when I click the button. The window does not pop up to start the authorization process at all. The code I'm using is:

<google-signin 
    clientId="<clientId>" 
    scopes="profile email" 
    labelSignin="Sign In" 
    labelSignout="Sign Out" 
    id="signinButton">
</google-signin>

I've tried defining the cookiePolicy attribute with single_host_origin, no difference. Any thoughts?

Edit: Yes, localhost is defined in the cloud developer console for the api credentials.

When using the google-signin component / button for a mobile web app (Add to homescreen, start without browser controls, "web app" mode) the G+ sign-in doesn't work.
Pressing the button opens a new window in Chrome where the user can approve the G+ sign-in but after the authorization is complete, the user it not returned to the web app.

Is there any way to solve this ?

Many applications have a server-side component that implements long-running processes or calls when the user is not at the keyboard. The Google+ Sign-In button has a simple attribute for offline access. As an added convenience, the button could automatically POST the code to a supplied URL.

I am having a bit of trouble with this, my web frontend works fine for the first hour, which is the validity of the token, after this I can not figure out how to refresh the token so I dont have to re-load the page. I have tried all sorts, but always the calls come back to the server with a "Null User"

I have not had this problem with authenticated python scripts accessing the same api on the same app engine..

Any clues? or is this not yet implemented?

I added this reauth method, calling it when I get a response of null user, but it doesnt seem to work as expected.

              reauth: function () {
                    handler.flowComplete = false;
                    gapi.auth.authorize( {
                        'client_id': CLIENT_ID,
                        'scope': SCOPES.join(' '),
                        'immediate': true},
                        handleAuthResult
                    );
                },

I am using the google signin with a appengine-api, the following is my appengine-client-api.html

<!--
Copyright (c) 2014 The Polymer Project Authors. All rights reserved.
This code may only be used under the BSD style license found at http://polymer.github.io/LICENSE.txt
The complete set of authors may be found at http://polymer.github.io/AUTHORS.txt
The complete set of contributors may be found at http://polymer.github.io/CONTRIBUTORS.txt
Code distributed by Google as part of the polymer project is also
subject to an additional IP rights grant found at http://polymer.github.io/PATENTS.txt
-->

<link rel="import" href="../bower_components/polymer/polymer.html">
<link rel="import" href="../bower_components/core-shared-lib/core-shared-lib.html">
<link rel="import" href="../bower_components/core-signals/core-signals.html">
<link rel="import" href="../bower_components/google-signin/google-signin.html">

<!--
Dynamically loads the Google Client JavaScript API, firing the `api-load` event when ready.

Any number of components can use `<google-client-api>` elements, and the library will only be loaded once.

@element google-client-api
@extends core-shared-lib
-->
<polymer-element name="appengine-client-api" extends="core-shared-lib"
        on-google-signin="">
    <script>
  Polymer({
    defaultUrl: 'https://apis.google.com/js/client.js?onload=%%callback%%',
    notifyEvent: 'api-load',
    get api() {
      return gapi.client;
    },
    get auth() {
      return gapi.auth;
    }
  });
</script>
</polymer-element>

<!--
Element for loading a specific Google API with the Javascript client library.

##### Example

    <google-api-loader id="shortener" name="urlshortener" version="v1">
    </google-api-loader>

    <script>
      var shortener = document.getElementById('shortener');
      shortener.addEventListener('google-api-load', function(event) {
        var request = shortener.api.url.get({'shortUrl': 'http://goo.gl/fbsS'});
        request.execute(function(resp) { console.log(resp); });
      });
    </script>

@element google-api-loader
@status alpha
@extends google-client-api
@homepage http://polymerlabs.github.io/google-apis
-->
<polymer-element name="appengine-api-loader"
                 attributes="name version"
                 extends="appengine-client-api"
                 on-api-load="{{doneLoadingClient}}"
                 on-google-auth-success="{{authSuccess}}">
    <template>
      <google-signin-aware scopes="https://www.googleapis.com/auth/userinfo.email"
                           on-google-signin-aware-success="{{onSigninSuccess}}"
                           on-signin-aware-failure="{{onSigninFailure}}"></google-signin-aware>

        <!--<core-signals on-core-signal-google-auth-ok="{{googleAuthOk}}"></core-signals>-->
        <content></content>
    </template>
    <script>
  (function() {
    'use strict';

    // Stores whether the API client is done loading.
    var clientLoaded_ = false;

    // Loaders and loading statuses for all APIs, indexed by API name.
    // This helps prevent multiple loading requests being fired at the same time
    // by multiple google-api-loader elements.
    var statuses_ = {};
    var loaders_ = {};

    Polymer('appengine-api-loader', {
      /**
       * Fired when the requested API is loaded.
       * @event google-api-load
       */

      /**
       * Fired if an error occurs while loading the requested API.
       * @event google-api-load-error
       */

      /**
       * Name of the API to load, e.g. 'urlshortener'.
       *
       * You can find the full list of APIs on the
       * <a href="https://developers.google.com/apis-explorer"> Google APIs
       * Explorer</a>.
       * @attribute name
       * @type string
       * @required
       */
      name: '',

      /**
       * Version of the API to load, e.g. 'v1'.
       * @attribute version
       * @type string
       * @required
       */
      version: '',

      // Used to fix events potentially being fired multiple times by
      // core-shared-lib.
      waiting: false,

      successEventName: 'appengine-api-load',
      errorEventName: 'appengine-api-load-error',

      /**
       * Returns the loaded API.
       * @method api
       */
      get api() {
        if (window.gapi && window.gapi.client &&
            window.gapi.client[this.name]) {
          return window.gapi.client[this.name];
        } else {
          return undefined;
        }
      },

      onSigninSuccess: function(event)
      {
         console.log('google-signin-success');
         this.fireSuccess(event);
      },
      onSigninFailure: function(event)
      {
        console.log('google-siginin-failure');
      },

      handleLoadResponse: function(response) {
        console.log('handleLoadResponse');
        if (response && response.error) {
          statuses_[this.name] = 'error';
          this.fireError(response);
        } else {
          statuses_[this.name] = 'loaded';
        }
      },

      fireSuccess: function(event) {

        window.setTimeout(function(){
          if(window.gapi.client[this.name] == undefined)
          {
            console.log('appengine-client-api success, but api.androidAPI null!!!');
            this.fireSuccess();
          }

          this.asyncFire(this.successEventName,
            { 'name': this.name, 'version': this.version});
          }.bind(this),500);
      },

      fireError: function(response) {
        if (response && response.error) {
          this.asyncFire(this.errorEventName, {
            'name': this.name,
            'version': this.version,
            'error': response.error });
        } else {
          this.asyncFire(this.errorEventName, {
            'name': this.name,
            'version': this.version });
        }
      },

      doneLoadingClient: function() {
        clientLoaded_ = true;
        // Fix for API client load event being fired multiple times by
        // core-shared-lib.
        if (!this.waiting) {
            console.log("doneLoadingClient");
            this.loadApi();
        }
      },




      createSelfRemovingListener: function(eventName) {
        var self = this;
        var handler = function () {
          loaders_[self.name].removeEventListener(eventName, handler);
          self.loadApi();
        };

        return handler;
      },

      loadApi: function() {
        if (clientLoaded_ && this.name && this.version) {
          this.waiting = false;
          // Is this API already loaded?
          if (statuses_[this.name] == 'loaded') {
            //this.fireSuccess();
          // Is a different google-api-loader already loading this API?
          } else if (statuses_[this.name] == 'loading') {
            this.waiting = true;
            loaders_[this.name].addEventListener(this.successEventName,
                this.createSelfRemovingListener(this.successEventName));
            loaders_[this.name].addEventListener(this.errorEventName,
                this.createSelfRemovingListener(this.errorEventName));
          // Did we get an error when we tried to load this API before?
          } else if (statuses_[this.name] == 'error') {
            this.fireError();
          // Otherwise, looks like we're loading a new API.
          } else {
            statuses_[this.name] = 'loading';
            loaders_[this.name] = this;
            gapi.client.load(this.name, this.version,
                this.handleLoadResponse.bind(this),
                '//' + window.location.host + '/_ah/api');
          }
        }
      }
    });
  })();
</script>
</polymer-element>

And in my index.html is

        <google-signin id="google_signin"
                       clientId="clientidpart-{{baseURI == 'http://localhost:8080/' ? 'clientidlocalhost' : 'clientidappspotcom'}}.apps.googleusercontent.com"
                       scopes="https://www.googleapis.com/auth/userinfo.email"
                       cookiePolicy="{{baseURI}}"
                       on-google-auth-success="{{onAuthSuccess}}"
                       on-google-signed-out="{{onAuthSignOut}}">
        </google-signin>

after logging out and refreshing the page, the tokens seems to persist. Im experiencing this on the demo page on #master as well.

I've implemented initial support for sign-out via gapi.auth.signOut() but am running into some issues with this actually logged the user out. Testing on gh-pages (as sign-out won't work on localhost), it is able to execute the logout call but doesn't respect it.

• Author release notes
• Bump bower.json to 0.3.0
• Review and land new implementation
• Tag new version
• Publish new version to gh-pages
• Investigate support for 0.3.0 in GWC elements using us as a dep

For security reasons I need to restrict the access only to people with google two factor authentication enabled. Is it possible to do this with the google signin component?

It requests #master directly, and a concrete version via core-signals. Bower complains when trying to install.

<google-signin> stopped working.

The demo at:
http://googlewebcomponents.github.io/google-signin/components/google-signin/demo.html

Returns 400. Error: redirect_uri_mismatch for every button.

Place them into separate files. Sounds reasonable?

googlewebcomponents.github.io isn't listed as an approved JavaScript origin in the Google Developers Console for 400542164111-q94vcbin3jp3fb2a0su1nm6gt4qpf86t.apps.googleusercontent.com, so the live demo leads to a Error: origin_mismatch when you test it out.

I ran into this situation which may or may not be an issue with Polymer or the Google API, however I tried everything to fix this without success.

I'll try to describe the issue as clear as possible,

The following is a reduced version of the function that handles the google-signin-success message:

function SigninSuccess(e, detail, sender) {
    gapi = e.detail.gapi;

    apiRoot = 'http://' + window.location.host + '/_ah/api/';

    gapi.client.load('bob', 'v1', function() {
      gapi.client.bob.ui.user_check().then(function(resp) {
        console.log('this: ' + this);
      }, function(resp) {
        if (resp.status == 401) {
          console.log("You are not an authorized user of this system, you are not allowed to go any further.");
        } else {
          console.log("Authentication failed.");
        }
      });
    }, apiRoot);
}

The function invokes a custom API method used to verify the user email is allowed to use the application.

This is a light Polymer app that relies on a backend API built on top of Google Cloud Endpoints, at first we disabled OAuth 2 in our backed, since we were merely experimenting with Polymer for the first time and wanted to speed up a bit the dev process, because of this we built all our backed interactions on top of core-ajax since at this point we didn't need to authenticate the requests, and It worked like a charm.

At some point we were more than excited with Polymer and decided to go a step further and build the actual thing and enabled OAuth 2 in the backend, wich led us to switch from core-ajax over to a GoogleWebComponents based solution because the OAuth 2 workflow is nicely wrapped within the components.

However, our app requires to make some API calls to our backend and deciced to build a custom element to do these kind of requests, the element contains some data wich is bound to one or some other elements.

This data is updated when the element is requested to and it invokes the appropriate API method through the gapi object, at this point the object has been passed through all the elements that need access to it through data binding to avoid further OAuth requests.

The gapi object is perfectly accessible by each and every who needs it, problem is, when there is need to process a method's call response, wich in our case, implies update internal data structures with data provided by the response object, at this point within the callback context, this points to the window object and not the element who made the call.

To circumvent this situation I save a reference to the current instance in the window object or in a variable outside the Polymer prototype, this reference is accessible in the callback, however this is a temporary solution I don't like because those variables are global and shared among all instances.

My hypothesis is, this method call is under the hood issued by another worker process spawned for this purpose, and somewhere in the process this is overriden by this process's window and never restored.

I'm new to Polymer and web components, I might have missed something, If needed I can provide a full working example wich reproduces the issue.

Thanks in advance,

Regards,

Ricardo

Hi,

I'm using latest revision of google-sign component in order to use the offline="true" attribute to implement Google's "one time code" authentication flow.

When using this attribute, the "google-signin-offline" event is not fired as expected.

I think this is because there is a small mistake in the code, line 378

if (self.offline && authResult.code) {
    handler.fire('google-signin-offline', {code: authResult.code});
}

I've solved the issue with the following code :

if (handler.offline && authResult.code) {
    handler.fire('google-signin-offline', {code: authResult.code});
}

Here's the patch I'm applying

diff --git a/google-signin.html b/google-signin.html
index 44089c0..492086c 100644
--- a/google-signin.html
+++ b/google-signin.html
@@ -375,7 +375,7 @@ google-signin-aware elements require additional user permissions.
                     }

                     // Trigger the google-signin-offline event when offline access code is present
-                    if (self.offline && authResult.code) {
+                    if (handler.offline && authResult.code) {
                         handler.fire('google-signin-offline', {code: authResult.code});
                     }

paper-focusable is deprecated and there is not 0.5 version which the bower.json depends on.

Please remove this dependency.

The 0.1.0 release has resolution issue with font-roboto. It's pulling #master when it should pull ~0.4.0

When I click the "component page" link in the README.md, I am directed to an empty page (http://addyosmani.github.io/google-signin/). I inspected the page and found that the file "platform.js" was responding with a 404 error (see above). I am using the latest version of chrome on a Windows 7, if that helps.

The older version of the web component had support for the offline attribute. Need to bring this back to the latest version. There was previously a bug that prevented it from working correctly. The bug should be fixed now. Need to test and add the logic back into the component.

There were some incorrect deps and move to core-signals that need accounting for.

10262da
ba247cf

cc @addyosmani

I haven't fully debugged this, reference the last instance of the element that relies on google-signin. For example:

<google-sheet id="one"></google-sheet>
<google-sheet id="two" key="123"></google-sheet>

Where google-sheet includes google-signin inside of the element def. When it fires google-signin-success, the element calls:

onSignInSuccess: function(e, detail, sender) {
  console.log(this);
}

this always reports <google-sheet id="two" key="123"></google-sheet>. I would expect to see both the elements get logged.

I believe what's happening is the shared/global state of google-signin is messing things up. window.handleAuthResult gets overwritten with handler to the latest instance.

Some questions / things to consider:

• We should probably switch to the js flow with "incremental authorization" to request additional scopes
• In attached meta tags are added to the main page. These are duplicated for multiple instances of google-signin. Consider fetching them from the DOM and updating them if they exist. This is particularly pertinent to scope and google-signin-callback.
• Similarly, how can multiple scope meta tags exist on the page?
• What happens with multiple meta tags for google-signin-clientid?

I'm referring to the on-* events as described here: https://www.polymer-project.org/docs/polymer/polymer.html#declarative-event-mapping . I'm new to polymer so maybe those have to be explicitly added to the component, but it sounds like Polymer automagically does it, or am I wrong there and you have to add the event listener?

I tried doing this:

<google-signin clientId="abc"
                 scopes="https://www.googleapis.com/auth/plus.login"
                 on-google-signin-success="{{alertme}}"
      ></google-signin>

<script>
Polymer('yo', {
   alertme: function(event, detail, sender) {
      alert("YO");
    }
 });
</script>

But it's never called. However, this works as expected:

  document.addEventListener('google-signin-success', function(e) {
    alert("YO")
  });

I added the element and attached an eventListener:

var gs = document.getElementById('testing');
        gs.addEventListener('google-signin-success' , function(e){
            console.log(e);
        });

here is the JSON representation of e.detail.user:

"{
    "El": "105333455535789574914",
    "UT": null,
    "B": {
        "G": "105333455535789574914",
        "ha": "??? ?????",
        "B": "[email protected]"
    }
}"

what are the El UT B B.G , B.ha B.B fields ?
Is it a problem with the library ?

If the element is not created timely, an already authorized user is not signed in automatically.

Can this work in a chrome extension? I've not had any success

I'm specifically interested to see it used in code injected into a (3rd party) web page by a content script, where the origin of the web page is not the same as the redirect_url which is https://appid.chromiumapp.org/provider_cb.

https://github.com/polymer/core-signals

Not sure if it's a problem of this component but 'sign out' doesn't work as I would want it to. Button state changes to 'sign in' but when I refresh the page it still shows as signed in. I get a feeling that it still has access to my app so it signs in automatically. Is there any way to make the sign out permanent (possibly remove the access of my app)?

This is what I get when trying to sign out:

{result: {error: user_signed_out, client_id: 301577259275-spg27tseu1fr50apprde0nf6kfrl0kb9.apps.googleusercontent.com, g_user_cookie_policy: single_host_origin, scope: https://www.googleapis.com/auth/userinfo.profile, response_type: code token id_token gsession, session_state: 36b0466edd06dc4e2c339b0158f4810c79c47264..2400, issued_at: 1408297021, expires_in: 86400, expires_at: 1408383421, g-oauth-window: null, status: {google_logged_in: true, signed_in: false, method: null}}}

<button> elements have several styling advantages over <input> elements and AFAIK, no disadvantages. Probably the biggest advantage is they allow the use of ::before and ::after pseudo-element styling.

In addition, <button> elements can have children so users could pass their own, already styled elements inside.

<google-signin clientId="...">
  <span class="my-button"></span>
</google-signin>

I think this approach would go a long way toward helping users style their own sign-in buttons, which would help with other issues too.

I've made the following change locally with no problems. If others agree, I'd be happy to submit a pull request, though I understand a lot of other stuff would probably have to be updated if this change were to be made.

<template if="{{ !signedIn }}">
  <button type="button" on-click="{{signIn}}">{{labelSignin}}</button>
</template>
<template if="{{ signedIn && !additionalAuth }}">
  <button type="button" on-click="{{signOut}}">{{labelSignout}}</button>
</template>
<template if="{{ signedIn && additionalAuth }}">
  <button type="button" on-click="{{signIn}}">{{labelAdditional}}</button>
</template>

Hi,

The link element to import the font-roboto component in google-signin.html is incorrect :

<link rel="import" href="../components/font-roboto/roboto.html">

should be

<link rel="import" href="../font-roboto/roboto.html">

This is annoying because vulcanize is failing to load this file.

Also, font-roboto componenent is using RobotoDraft font, so the syle definition is also incorrect.

Instead of

.buttonText {
                ...
                font-family: 'Roboto',arial,sans-serif;
            }

it should be :

.buttonText {
                ...
                font-family: 'RobotoDraft',arial,sans-serif;
            }

And finally, I think we can use font-roboto#0.4.0 instead of font-roboto#master : the content is the same, and it will remove bower components resolution (for example, paper-elements#0.4.0 depends on font-roboto#0.4.0).

A pull request is in progress, but let me know if some of the suggested changes looks not correct.

Thanks for the contribution for this web component

Issue: when using the same codebase and same browser on two different machines (one iMac and one Macbook air), both running Chrome 37.0.2062.94 (marked as 'up to date') I see two different behaviors exhibited when already logged in, then calling the URL or refreshing the page.

On the iMac, I am shown to be logged out.

On the Macbook, I am initially shown to be logged out, but I am then quickly logged in, the element changes from red login to grey log out, and a call is made to Google oauth, after which a toast element appears bottom of the screen, with my G+ image and a 'welcome back...' msg.

None of this process occurs on the desktop, even though its' the same code and the same browser. Are there known to be any issues with inconsistent behavior?

Currently, the button uses a template, adds a span and does some keypress listening. The Google+ Sign-In button already supports this in a cleaner (and kinda safer) way.

You could implement this as an optional light dom element, otherwise render a simple button and use the defined label attributes.

Could you make modular element with support for other auth providers?

See

• https://developers.google.com/+/best-practices/facebook
• http://adodson.com/hello.js/

This error is shown in the console under the following circumstances:

1. There is a <google-signin> element on the page.
2. There is a <google-signin-aware> element on the page.
3. The <google-signin-aware> element is domReady before gapi has been initialized (see https://github.com/GoogleWebComponents/google-signin/blob/master/google-signin.html#L314).

The error is generated at https://github.com/GoogleWebComponents/google-signin/blob/master/google-signin.html#L314.

If one has multiple accounts setup and authenticates with a couple of them, switching back and forth on these accounts causes one of them to never immediately auth after a page refresh. Only one of the accounts will allow itself to persist auth.

Furthermore, the accounts that don't immediately sign back in call the handleAuthResult callback twice each with the authResult.error set to user_signed_out.

Ive just placed the single element on the page to test this and can't seem to wrap my head around what's happening. Thoughts?

I tried this demo page at http://googlewebcomponents.github.io/google-signin/components/google-signin/demo.html with multiple google accounts signed in. Primary being gmail and secondary being a work account. When I clicked on Sign in account chooser is displayed, i Selected work account and its not signed in.
Below messages seen in console:
https://drive.google.com/file/d/0B71T1vBlMJ88YW90WTl1RkZLZlU/preview
If both the accounts are gmail.com accounts then its working fine.

The element currently does not handle dynamic changes updates to these properties.

It seems to me that google-signin-success is fired when the authentication credentials are validated. There is no documented event for when a profile is chosen. This makes it overly difficult to build an application which cares what profile you have chosen. If there is something I am missing please let me know :)

This took me a while to figure out. If it's not clear what I mean I can create a small example, but it's a bit annoying since I can't just make a fiddle.

When a google-signin-aware element requests scopes that have not yet been granted via OAuth (either the user hasn't signed off on them, or we just haven't done the immediate handshake yet), the flow basically looks like:

google-signin-aware.attached -> signal-google-auth-request -> google-signin.authRequest 
    -> XHR
<browser continues parsing and then later...>
XHR returns -> google-signin.authResult -> signal-google-auth-success 
    -> google-signin-aware catches signal

But if a google-signin-aware is attached to the DOM after this dance has already gone on, that break where the browser gets control doesn't happen, and control looks like:

google-signin-aware.attached -> signal-google-auth-request -> google-signin.authRequest 
    -> signal-google-auth-success

But for some reason at that point, google-signin-aware isn't yet ready to receive the signal.

I tested this hypothesis by wrapping the call to fire('polymer-signal', { name: 'google-auth-success', ... in a setTimeout(..., 0) (see here), and the code started working.

Seems like that's probably not the right solution, but I'm not familiar enough with the event model to know what is.

Hi,
Under some circumstances, the event 'google-signin-offline' is fired twice.

I've used the following code in the demo.html page to reproduce the issue :

    <google-signin
        clientId="xxxxxxx.apps.googleusercontent.com"
        offline="true"
        scopes="email" 
        width="wide" height="tall" 
        cookiePolicy="single_host_origin">
    </google-signin>


    <script>
        document.addEventListener("google-signin-offline", function (e) {
            console.log('received google-signin-offline event', e);
            // my usage of one time auth code here
        });
    </script>

The event is fired twice only when the user sign in for the first time, i.e. when he his prompted for consent.
Looking at the stack trace, I've found that the event 'core-signal-google-auth-result'is fired once from the gloabally defined callback in the meta tag, and once from the 'callback' parameter of the signIn method.

According to this : https://developers.google.com/+/web/signin/reference#page-config, this should not happen, but it does (again, only when after sign-in with the consent screen).

In my situation, this results in sending twice the authorization code to my server, which will try to exchange it twice with google API server.

In google-signin.html, there is the following code in the authResult method :

    // Only let the global defaultHandler trigger result signals to prevent fanning.
    if (this === defaultHandler && response.isGlobal) {

Would it be possible to add the same logic for firing the google-signin-offline event ?
Actually, the same applies to the 'google-signin-success' event.

Thanks
Pascal