Signing users with email link, not working with GCIP

[MrVentzi]

[REQUIRED] Describe your environment

• Operating System version: Windows 10
• Browser version: Version 91.0.4472.124
• Firebase UI version: _____
• Firebase SDK version: _____ "firebase": "^8.6.8", "firebaseui": "^4.8.0", "gcip-iap": "^0.1.4",

[REQUIRED] Describe the problem

Steps to reproduce:

1. Request to log in with ventsislav@xxxx.com

2. Select login with email

3. Email link sent by firebase

4. Open the link from email (https://xxxxx.firebaseapp.com/__/auth/action?apiKey=AIzxxxx0U-RsTwOxxxx9IL2_yxxx03Zrcilwclo&mode=signIn&oobCode=XS64xxxxaFX2d9QcdnSUYDQ5H6Pdg5y7kPvfv1dmSfsAAAF6i4R0_g&continueUrl=https://ventsi.xxxxxx.com/?mode%3Dlogin%26apiKey%3DAIzaSyD0U-RsTwOKei9IL2_y0JqU03Zrcilwclo%26tid%xxxxx-bey29%26state%3DeyJhbGciOiJFUzI1NiIsIxxxxXVCIsImtpZCI6InVYOGFfUSJ9.ABU4IVNvsBPF7iYz7Ug0DZUPDYpdQuWS-jZXoRMg6d7A_IhOLnNESVsVGoj3dmo_PLuxxxRdbXrGvAo4_MhoFTLLhsQn_vB8MpPVDznmEqcSbHtnNeEDXILdgPQUfpzrLC6Oas1VCvyIH46CUu-bBJDBywdylo5-pLPXsqxdZ5axxxqlrvCjw7SPvmmdM_5SJ3HTxOTfvZkXbj2OFmf8MyOHZ17WXbmtv6Yje4q9_22_KuR9acN4-GFWQiVVpKSvSoXBwuztwNbD-UNydScSwRvfJ8mj1n8hxxnwtOP8RjQX_xsh88yuyi6uY9IXv2eyFSD81zJJMMvyc_9ohWVrJQ0wYI_1O-9Jm0XklGm38Eaxxx213JYJr6C-3v5QRaAgq2xDx42MilVBqBFVuy6jaJ-fPYmexxsZ5Hh0VEn1gucipL06VsTcMeXTBsh-dgbznVdwmiYYuG7ossd20cs6P2xLUtxxxxY180wtnnCvxwVkcYERa1UO4sEhhoDM_kWykhIhpWkR9GwL4NfuAf0ZSwYgcCMYPJP4aqM34dVxKZuXSmdjLpFkHWRJ7gMxa45gpXM1xxxxxNso1TFbm_izUE86LYvYYpvqnfpkPV6Vv1xXxTw3Xm2Cj_77f1uKKQ3c3nqLGffOpUN.hOa8ekF_RVXjOkTVMVT_pTMy0gomADSAYxxxxqcB6i1jw8JydOCCpx13ji3LengsOBUbuAEGlB5RPZv-g%26redirect_uri%3Dhttps%253A%252F%252Fiap.googleapis.com%252Fv1beta1%252Fgcip%252Fresources%252FxxxxxxE796CA4%253AhandleRedirect%26ui_sid%3DHklGIx2VLnHxxxxxMdLsGGmeFTQqcDg%26ui_sd%3D0&lang=en&tenantId=xxxxxx-bey29)

5. Error encountered - Client specified an invalid argument. 5.1 JavaScript consoe error: "Uncaught (in promise) Error: Invalid mode" 5.2 FirebaseUI app URL parameters when error occurs: https://xxxxxx.xxxxxx.com/?tid=xxxxx-bey29&state=eyJhbGciOixxxxxsInR5cCI6IkpXVCIsImtpZCI6InVYOGFfUSJ9.ABU4IVNvsBPF7iYz7Ug0DZUPDYpdQuWS-jZXoRMg6d7A_IhOLnNESVsVGoj3dmo_PLuNAAiARdbXrGvAo4_MhoFTLLhsQn_vB8MpPVDznmEqcSbHtnNeEDXILdgPQUfpzrLC6Oas1VCvyIH46CUu-bBJDBywdylo5-pLPXsqxdZ5abEFchXqlrvCjw7SPvmmdM_5xxxxxxvZkXbj2OFmf8MyOHZ17WXbmtv6Yje4q9_22_KuR9acN4-GFWQiVVpKSvSoXBwuztwNbD-UNydScSwRvfJ8mj1n8h2M4nwtOP8RjQX_xsh88yuyi6uY9IXv2eyFSD81zJJMMvyc_9ohWVrJQ0wYI_1O-9Jm0XklGm38EaIFS2PB213JYJr6C-3v5QRaxxxxx42MilVBqBFVuy6jaJ-fPYmexxsZ5Hh0VEn1gucipL06VsTcMeXTBsh-dgbznVdwmiYYuG7ossd20cs6P2xLUtWtvOjpGOY180wtnnCvxwVkcYERa1UO4sEhhoDM_kWykhIhpWkR9GwL4NfuAf0ZSwYgcCMYPJP4aqM34dVxKZuxxxxxMxaxxxXM1gupTTNso1TFbm_izUE86LYvYYpvqnfpkPV6Vv1xXxTw3Xm2Cj_77f1uKKQ3c3nqLGffOpUN.hOa8ekF_RVXjOkTVMVT_pTMy0gomADSAYJir4ocTFqqcB6i1jw8JydOCCpx13ji3LengsOBUbuAEGlB5RPZv-g&redirect_uri=https%3A%2F%2Fiap.googleapis.com%2Fv1beta1%2Fgcip%2Fresources%2F89471910CE796CA4%3AhandleRedirect&ui_sid=HklGIx2VLnHB6mawFMdLsGGmeFTQqcDg&ui_sd=0&apiKey=AIzxx0U-RsTwOKei9IL2_yxxxx3Zrcilwclo&oobCode=XS64RqBxxxxUYDQ5H6Pdg5y7xxsAAAF6i4R0_g&mode=signIn&lang=en&tenantId=xxxxx-bey29

Everything else works (e.g. SAML, Google, Microsoft, Email/Password) but the passwordless login doesn't. Just says invalid mode and that's it.

Relevant Code:

Below is the code I have, although doesn't seem like the firebase sandbox can run it. It runs on a nodejs server on my local currently (behind a dns ventsi.xxxxx.com).

import { firebase } from '@firebase/app';
import "firebase/auth";
import * as firebaseui from 'firebaseui'
import * as ciap from 'gcip-iap';

const configs = {
    "API_KEY": {
        authDomain: 'myproject.firebaseapp.com',
        displayMode: 'identifierFirst', //  identifierFirst / optionFirst
        callbacks: {
            selectTenantUiShown: () => {
            },
            selectTenantUiHidden: () => {
            },
            signInUiShown: (tenantId) => {
            },
            beforeSignInSuccess: (user) => {
                return Promise.resolve(user);
            }
        },
        tenants: {
            "xxxxxx-bey29": {
                displayName: 'TEST',
                signInOptions: [
                    {
                        provider: firebase.auth.EmailAuthProvider.PROVIDER_ID,
                        signInMethod: firebase.auth.EmailAuthProvider.EMAIL_LINK_SIGN_IN_METHOD,
                        hd: 'xxxxx.com',
                        forceSameDevice: false,

                        emailLinkSignIn: function() {
                            return {
                                url: window.location.href,
                                handleCodeInApp: true,
                                canHandleCodeInApp: false,
                            };
                        }
                    },
                ],
                signInFlow: 'redirect'
                // immediateFederatedRedirect: true,
            },
        },
    },
};

const handler = new firebaseui.auth.FirebaseUiHandler(
    '#firebaseui-auth-container', configs);
const ciapInstance = new ciap.Authentication(handler);
ciapInstance.start();

[sam-gc]

Hi @MrVentzi, thanks for the detailed info. Would you mind sharing what kinds of errors are returned over the network (i.e. from the network tab in your debugger)? That might help us pinpoint the issue more precisely.

[MrVentzi]

Hi @sam-gc

ventsi.mydomain.com.har.zip Above is a har export with redacted strings.

From what i can tell, there is no errors across the network requests/responses. It seems to happen on the app side.

Let me know if you need me to provide anything else.

Keen to get this working as it is an MVP requirement for our new auth app.

[sam-gc]

I believe getting to the root of this issue is going to require more details about your app/setup. Would you mind following up with Cloud Support? They're better equipped to handle issues like this. https://console.cloud.google.com/support

[bojeil-google]

Hey @MrVentzi something is wrong with your continue URL. I am unable to decodeURIComponent() on it. Can you provide more details on how you are configuring this in FirebaseUI?

Separately, I also noticed you are using IAP with GCIP. If so, you need to ensure the flow ends on the same browser.

[bojeil-google]

Actually, I just realized, email link sign in won't work with IAP even in the same browser. The mode field is also used by IAP. FirebaseUI can't handle IAP modes and IAP sign in page handler can't handle these out of band modes.

We should probably document that email link sign in is not supported by IAP.

The error you are seeing is from the IAP library and not FirebaseUI.

[MrVentzi]

Thanks for the info @bojeil-google. It does however sound like a bug rather than intended incompatibility.

Considering the email provider works just fine when using passwords, it feels like it should work with email link as well.

How do we go about getting this to work?

[mfriedy]

Hi, is there any update / suggested workaround for this? Using email links to sign into IAP is exactly the solution I'm looking for