🐛 [Firebase_Auth] reCaptcha page pops even though play integrity configured

[lironzemingo]

I have added Firebase auth to my app, configured AppCheck with Play integrity, added SHA-1 in Settings, added my SHA-256 (in Firebase console -> settings, and also under Play Integrity), and also my debug token. this code runs before runApp :

WidgetsFlutterBinding.ensureInitialized(); await Firebase.initializeApp(); await FirebaseAppCheck.instance.activate( webRecaptchaSiteKey: 'recaptcha-v3-site-key', androidProvider: _isDevEnvironment() ? AndroidProvider.debug : AndroidProvider.playIntegrity, ); I expect not to see the reCaptch page when calling firebaseAuth.verifyPhoneNumber(...)but I still see the reCaptcha screen. What am I missing? followed every instruction in the documents.

Pubspec: `name: XXX description: A new Flutter project.

publish_to: 'none' # Remove this line if you wish to publish to pub.dev version: 0.1.0+1

environment: sdk: '>=2.19.2 <3.0.0'

dependencies: flutter: sdk: flutter

bloc: ^8.1.1 cached_network_image: ^3.2.3 country_calling_code_picker: ^2.0.1 crop_your_image: ^0.7.4 cupertino_icons: ^1.0.5 device_info_plus: ^8.1.0 dio: ^5.0.0 equatable: ^2.0.5 fimber: ^0.6.6 firebase_app_check: ^0.1.1+13 firebase_auth: ^4.2.7 firebase_core: ^2.6.0 firebase_crashlytics: ^3.0.15 firebase_performance: ^0.9.0+14 flutter_bloc: ^8.1.2 flutter_contacts: ^1.1.6 flutter_easyloading: ^3.0.5 flutter_flavor: ^3.1.1 flutter_keyboard_visibility: ^5.4.0 flutter_native_splash: ^2.2.18 flutter_secure_storage: ^8.0.0 flutter_svg: ^2.0.2 get_it: ^7.2.0 go_router: ^6.0.6 google_fonts: ^4.0.3 http_parser: ^4.0.2 image: ^4.0.15 image_picker: ^0.8.6+3 json_annotation: ^4.8.0 just_the_tooltip: ^0.0.12 path_provider: ^2.0.13 permission_handler: ^10.2.0 pinput: ^2.2.31 retrofit: ^4.0.1 get: ^4.6.5 share_plus: ^6.3.1 tap_debouncer: ^2.0.2 url_launcher: ^6.1.10

webview_flutter: ^4.0.5

dev_dependencies: flutter_test: sdk: flutter

build_runner: ^2.3.3 flutter_gen_runner: ^5.2.0 flutter_lints: ^2.0.1 json_serializable: ^6.6.1 retrofit_generator: ^5.0.0

flutter_native_splash: color: '#000000'

image: assets/images/logo_native_splash_4x.png

flutter_gen: output: lib/core/gen

integrations: flutter_svg: true

flutter:

uses-material-design: true

assets:

• assets/images/
• assets/icons/ ` Flutter doctor:

[!] Flutter (Channel stable, 3.7.3, on macOS 12.6 21G115 darwin-arm64, locale en-IL) • Flutter version 3.7.3 on channel stable at /Users/lironitzhaki/flutter ! Warning: dart on your path resolves to /usr/local/Cellar/dart/2.19.3/libexec/bin/dart, which is not inside your current Flutter SDK checkout at /Users/lironitzhaki/flutter. Consider adding /Users/lironitzhaki/flutter/bin to the front of your path. • Upstream repository https://github.com/flutter/flutter.git • Framework revision 9944297138 (5 weeks ago), 2023-02-08 15:46:04 -0800 • Engine revision 248290d6d5 • Dart version 2.19.2 • DevTools version 2.20.1 • If those were intentional, you can disregard the above warnings; however it is recommended to use "git" directly to perform update checks and upgrades.

[✓] Android toolchain - develop for Android devices (Android SDK version 32.1.0-rc1) • Android SDK at /Users/lironitzhaki/Library/Android/sdk • Platform android-33, build-tools 32.1.0-rc1 • Java binary at: /Applications/Android Studio.app/Contents/jre/Contents/Home/bin/java • Java version OpenJDK Runtime Environment (build 11.0.13+0-b1751.21-8125866) • All Android licenses accepted.

[✓] Xcode - develop for iOS and macOS (Xcode 14.2) • Xcode at /Applications/Xcode.app/Contents/Developer • Build 14C18 • CocoaPods version 1.11.3

[✓] Chrome - develop for the web • Chrome at /Applications/Google Chrome.app/Contents/MacOS/Google Chrome

[✓] Android Studio (version 2021.3) • Android Studio at /Applications/Android Studio.app/Contents • Flutter plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/9212-flutter • Dart plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/6351-dart • Java version OpenJDK Runtime Environment (build 11.0.13+0-b1751.21-8125866)

[✓] Connected device (3 available) • SM S908E (mobile) • R5CT3493C5J • android-arm64 • Android 13 (API 33) • macOS (desktop) • macos • darwin-arm64 • macOS 12.6 21G115 darwin-arm64 • Chrome (web) • chrome • web-javascript • Google Chrome 110.0.5481.177

[✓] HTTP Host Availability • All required HTTP hosts are available

! Doctor found issues in 1 category.

[darshankawar]

@lironzemingo The default method is captcha so if you are using SMS auth, the captcha will be shown. The play integrity or app_check is not default. Since you already have SHAs already configured, the app will be using this setting and hence the captcha might be showing up.

In order to narrow down this behavior to only firebase_auth and play integrity (app_check), can you trim down this use case without any third party package implementation ? or just try to see if recaptcha is still shown only using barebone sample project ?

[lironzemingo]

@darshankawar thank you for your reply. I've created a project with only these dependencies: firebase_app_check: ^0.1.1+13 firebase_auth: ^4.2.7 firebase_core: ^2.6.0

with the same applicationId and same google-services.json still, when calling firebaseAuth.verifyPhoneNumber(...), reCaptcha page appears. any thoughts?

[darshankawar]

I expect not to see the reCaptch page when calling firebaseAuth.verifyPhoneNumber(...)but I still see the reCaptcha screen.

@lironzemingo Curious to know as why recaptcha should not be shown ? Since you are trying to authenticate the phone number by using SMS, the recaptcha will be shown if I am not wrong.

[lironzemingo]

@darshankawar in any of the apps that use OTP I've never been displayed with this page. maybe they don't use Firebase... anyway, it says in the docs that this can be avoided by using AppCheck, so I expect this to work. or maybe I misunderstood the purpose of AppCheck

[darshankawar]

Can you please link the documentation ?

[darshankawar]

Also check this issue and underlying comments for further reference:

https://github.com/firebase/flutterfire/issues/10467

https://github.com/firebase/flutterfire/issues/10174#issuecomment-1370623683

[abdu292]

@darshankawar If you are from the official team, could you confirm this is a known issue and we should wait until this is fixed? Your response would help us talk to our clients and get going with what we have. We have been spending too much time trying to get rid off the captcha thinking this is a config issue from our side. Thanks a bunch!

[lironzemingo]

Can you please link the documentation ?

what I understand from this link is that if I use Play Integrity, it serves as a valid attestation provider, and is supposed to be instead of reCaptcha. am I wrong? does Firebase Auth use both Play Integrity and reCaptcha?

[aqsashaikh88]

Facing the same issue with reCaptcha. Has anyone found any solution to this?

[abdu292]

@darshankawar Any response on this would be greatly appreciated. (Please see my previous comment)

[darshankawar]

Thanks for the update and patience. I am going ahead and labeling this for team's attention and visibility on expected behavior.

/cc @Lyokone

[vrishank97]

Still facing this issue. Any solution?

[AhmedElKenawy]

any updates ?

[seungku]

I'm also facing this issue.

[russellwheatley]

It is my understanding that you shouldn't see a reCaptcha box if you're using firebase app check. As far as I'm aware, it should handle it in the background and send the user an sms code to verify the user. I wonder if there is a bug in the native SDK 🤔

I think the first port of call is figuring out whether this has recently started happening. Can anyone confirm is this due to a version change? (i.e. it was working, and now it isn't because you upgraded dependency versions).

[repo-jayptl]

Same issue...

[nohe427]

Thanks for reporting this issue. I believe that there are potentially a few instances where the fallback to reCAPTCHA could occur:

1. The wrong version of firebase_auth is used. firebase_auth version 4.4.0 is the first version to support Play Integrity API for SMS verification.
2. You only have a SHA-1 certificate fingerprint registered in the Firebase console. You will need to have the SHA-256 fingerprint certificate registered.
3. You have the wrong certificate registered. You may have accidentally used your upload certificate rather than the Google Play Signing certificate. You can validate that the Google Play Signing certificate is registered by visiting the Google Play Console, selecting your application, and then in the right hand bar, under Setup, selecting App Integrity. Then in the main window, select App signing and validate that your App signing key certificate (SHA-256 and SHA-1) are registered in the Firebase console. You can also use Peter’s Asset Link Tool to validate that the app deployed on your device is using the right fingerprint as well. This video, while a little outdated and targeted for a web audience, can help you find where in the console to grab your SHA-256 fingerprint.
4. You deployed straight to your phone rather than downloaded the app from the Play Store. The app needs to come from the Play Store on a real device for Play Integrity API to be used. Otherwise, it may fall back to reCAPTCHA.
5. You may have exhausted your daily quota of 10,000 API calls per day. If so, you can request a lift on the limit.

A few other notes:

• As far as I can tell, App Check is not required to be set up on the device. Play Integrity API is baked into the firebase_auth package and no additional client setup is required (other than registering keys, etc..).
• Off play flows are not supported - you must download the app from Google Play and be running on a real device for this to work.
• You must register the Google Play Signing Certificate if your app uses Play Signing (unless you were published prior to August 2021 and didn’t upgrade to Play Signing, you likely are using Play Signing).
• Also, ensure you are running the latest version of Google Play services.

[google-oss-bot]

Hey @lironzemingo. We need more information to resolve this issue but there hasn't been an update in 7 weekdays. I'm marking the issue as stale and if there are no new updates in the next 7 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

[lironiz]

Thanks for reporting this issue. I believe that there are potentially a few instances where the fallback to reCAPTCHA could occur:

1. The wrong version of firebase_auth is used. firebase_auth version 4.4.0 is the first version to support Play Integrity API for SMS verification.
2. You only have a SHA-1 certificate fingerprint registered in the Firebase console. You will need to have the SHA-256 fingerprint certificate registered.
3. You have the wrong certificate registered. You may have accidentally used your upload certificate rather than the Google Play Signing certificate. You can validate that the Google Play Signing certificate is registered by visiting the Google Play Console, selecting your application, and then in the right hand bar, under Setup, selecting App Integrity. Then in the main window, select App signing and validate that your App signing key certificate (SHA-256 and SHA-1) are registered in the Firebase console. You can also use Peter’s Asset Link Tool to validate that the app deployed on your device is using the right fingerprint as well. This video, while a little outdated and targeted for a web audience, can help you find where in the console to grab your SHA-256 fingerprint.
4. You deployed straight to your phone rather than downloaded the app from the Play Store. The app needs to come from the Play Store on a real device for Play Integrity API to be used. Otherwise, it may fall back to reCAPTCHA.
5. You may have exhausted your daily quota of 10,000 API calls per day. If so, you can request a lift on the limit.

A few other notes:

• As far as I can tell, App Check is not required to be set up on the device. Play Integrity API is baked into the firebase_auth package and no additional client setup is required (other than registering keys, etc..).
• Off play flows are not supported - you must download the app from Google Play and be running on a real device for this to work.
• You must register the Google Play Signing Certificate if your app uses Play Signing (unless you were published prior to August 2021 and didn’t upgrade to Play Signing, you likely are using Play Signing).
• Also, ensure you are running the latest version of Google Play services.

thanks @nohe427 . my app is only in the early development stage and was not deployed yet in Google Play. so if I understand correctly, what you're saying is that until I sign and upload it to Play, during development I will have to go through reCaptcha with every OTP login. am I right?

[nohe427]

Thanks for reporting this issue. I believe that there are potentially a few instances where the fallback to reCAPTCHA could occur:

1. The wrong version of firebase_auth is used. firebase_auth version 4.4.0 is the first version to support Play Integrity API for SMS verification.
2. You only have a SHA-1 certificate fingerprint registered in the Firebase console. You will need to have the SHA-256 fingerprint certificate registered.
3. You have the wrong certificate registered. You may have accidentally used your upload certificate rather than the Google Play Signing certificate. You can validate that the Google Play Signing certificate is registered by visiting the Google Play Console, selecting your application, and then in the right hand bar, under Setup, selecting App Integrity. Then in the main window, select App signing and validate that your App signing key certificate (SHA-256 and SHA-1) are registered in the Firebase console. You can also use Peter’s Asset Link Tool to validate that the app deployed on your device is using the right fingerprint as well. This video, while a little outdated and targeted for a web audience, can help you find where in the console to grab your SHA-256 fingerprint.
4. You deployed straight to your phone rather than downloaded the app from the Play Store. The app needs to come from the Play Store on a real device for Play Integrity API to be used. Otherwise, it may fall back to reCAPTCHA.
5. You may have exhausted your daily quota of 10,000 API calls per day. If so, you can request a lift on the limit.

A few other notes:

• As far as I can tell, App Check is not required to be set up on the device. Play Integrity API is baked into the firebase_auth package and no additional client setup is required (other than registering keys, etc..).
• Off play flows are not supported - you must download the app from Google Play and be running on a real device for this to work.
• You must register the Google Play Signing Certificate if your app uses Play Signing (unless you were published prior to August 2021 and didn’t upgrade to Play Signing, you likely are using Play Signing).
• Also, ensure you are running the latest version of Google Play services.

thanks @nohe427 . my app is only in the early development stage and was not deployed yet in Google Play. so if I understand correctly, what you're saying is that until I sign and upload it to Play, during development I will have to go through reCaptcha with every OTP login. am I right?

Correct. You will likely need six certificate fingerprints registered with firebase: debug key sha1 and 256, upload key (otherwise known as release key) sha 1 and sha256, and play signing key (sha1 and 256). Play signing uses the sha256 key and the sha1 is used by reCaptcha

[kakky0418]

I have the following versions installed

 firebase_core: ^2.9.0
 firebase_analytics: ^10.2.0
 firebase_auth: ^4.4.1
 firebase_messaging: ^14.4.0
 firebase_dynamic_links: ^5.1.0
 firebase_database: ^10.1.0
 firebase_app_check: ^0.1.2+1
 firebase_crashlytics: ^3.1.0

but there is a problem.

PlayCore: UID: [10584] PID: [1641] IntegrityService : requestIntegrityToken(IntegrityTokenRequest{nonce=xxxxxxxxxxxxxxxxxx, cloudProjectNumber=xxxxxxxxxxxxxxxxxxxxxxxxxx})
PlayCore: UID: [10584] PID: [1641] IntegrityService : Initiate binding to the service.
PlayCore: UID: [10584] PID: [1641] IntegrityService : ServiceConnectionImpl.onServiceConnected(ComponentInfo{com.android.vending/com. google.android.finsky.integrityservice.IntegrityService})
PlayCore: UID: [10584] PID: [1641] IntegrityService : linkToDeath
Finsky : [265] jxl.b(23): requestIntegrityToken() finished for [package_name]
PlayCore: UID: [10578] PID: [13639] OnRequestIntegrityTokenCallback : onRequestIntegrityToken
PlayCore: UID: [10578] PID: [13639] IntegrityService : Unbind from service.

I am installing from an actual device, Google PlayStore. Is anyone else experiencing the same issue?

[belh-sara]

facing the same issue with the ReCaptcha page popping up, even though I followed the instructions provided in the documentation (https://firebase.google.com/docs/app-check/flutter/default-providers).

My app is already on the Play Store with the Play Integrity configuration in place, but the ReCaptcha page continues to appear, interrupting the user flow. I am using Flutter version 3.7.11 and Dart version 2.9.16.

I am currently using the latest version of Firebase and have the following dependencies in my pubspec.yaml file:

  firebase_core: ^2.9.0
  firebase_analytics: ^10.2.0
  firebase_auth: ^4.4.1
  firebase_messaging: ^14.4.0
  firebase_dynamic_links: ^5.1.0
  firebase_database: ^10.1.0
  firebase_app_check: ^0.1.2+1
  firebase_crashlytics: ^3.1.0

even if all of the following is verified:

Thanks for reporting this issue. I believe that there are potentially a few instances where the fallback to reCAPTCHA could occur:

1. The wrong version of firebase_auth is used. firebase_auth version 4.4.0 is the first version to support Play Integrity API for SMS verification.
2. You only have a SHA-1 certificate fingerprint registered in the Firebase console. You will need to have the SHA-256 fingerprint certificate registered.
3. You have the wrong certificate registered. You may have accidentally used your upload certificate rather than the Google Play Signing certificate. You can validate that the Google Play Signing certificate is registered by visiting the Google Play Console, selecting your application, and then in the right hand bar, under Setup, selecting App Integrity. Then in the main window, select App signing and validate that your App signing key certificate (SHA-256 and SHA-1) are registered in the Firebase console. You can also use Peter’s Asset Link Tool to validate that the app deployed on your device is using the right fingerprint as well. This video, while a little outdated and targeted for a web audience, can help you find where in the console to grab your SHA-256 fingerprint.
4. You deployed straight to your phone rather than downloaded the app from the Play Store. The app needs to come from the Play Store on a real device for Play Integrity API to be used. Otherwise, it may fall back to reCAPTCHA.
5. You may have exhausted your daily quota of 10,000 API calls per day. If so, you can request a lift on the limit.

A few other notes:

• As far as I can tell, App Check is not required to be set up on the device. Play Integrity API is baked into the firebase_auth package and no additional client setup is required (other than registering keys, etc..).
• Off play flows are not supported - you must download the app from Google Play and be running on a real device for this to work.
• You must register the Google Play Signing Certificate if your app uses Play Signing (unless you were published prior to August 2021 and didn’t upgrade to Play Signing, you likely are using Play Signing).
• Also, ensure you are running the latest version of Google Play services.

[nohe427]

@kakky0418 & @belh-sara

• Can you provide some details on the device that you are using for testing?
• What happens when trying to use this flow? Are you still seeing the reCAPTCHA screen?
• Have you confirmed that the SHA256 and SHA1 for Play Signing is registered in the firebase console and is attributed to the app using Peter's Asset Link Tool?

[niladri-raychaudhuri]

facing the same issue with the ReCaptcha page popping up, even though I followed the instructions provided in the documentation (https://firebase.google.com/docs/app-check/flutter/default-providers).

My app is already on the Play Store with the Play Integrity configuration in place, but the ReCaptcha page continues to appear, interrupting the user flow. I am using Flutter version 3.7.11 and Dart version 2.9.16.

I am currently using the latest version of Firebase and have the following dependencies in my pubspec.yaml file:

  firebase_core: ^2.9.0
  firebase_analytics: ^10.2.0
  firebase_auth: ^4.4.1
  firebase_messaging: ^14.4.0
  firebase_dynamic_links: ^5.1.0
  firebase_database: ^10.1.0
  firebase_app_check: ^0.1.2+1
  firebase_crashlytics: ^3.1.0

even if all of the following is verified:

Thanks for reporting this issue. I believe that there are potentially a few instances where the fallback to reCAPTCHA could occur:

1. The wrong version of firebase_auth is used. firebase_auth version 4.4.0 is the first version to support Play Integrity API for SMS verification.
2. You only have a SHA-1 certificate fingerprint registered in the Firebase console. You will need to have the SHA-256 fingerprint certificate registered.
3. You have the wrong certificate registered. You may have accidentally used your upload certificate rather than the Google Play Signing certificate. You can validate that the Google Play Signing certificate is registered by visiting the Google Play Console, selecting your application, and then in the right hand bar, under Setup, selecting App Integrity. Then in the main window, select App signing and validate that your App signing key certificate (SHA-256 and SHA-1) are registered in the Firebase console. You can also use Peter’s Asset Link Tool to validate that the app deployed on your device is using the right fingerprint as well. This video, while a little outdated and targeted for a web audience, can help you find where in the console to grab your SHA-256 fingerprint.
4. You deployed straight to your phone rather than downloaded the app from the Play Store. The app needs to come from the Play Store on a real device for Play Integrity API to be used. Otherwise, it may fall back to reCAPTCHA.
5. You may have exhausted your daily quota of 10,000 API calls per day. If so, you can request a lift on the limit.

A few other notes:

• As far as I can tell, App Check is not required to be set up on the device. Play Integrity API is baked into the firebase_auth package and no additional client setup is required (other than registering keys, etc..).
• Off play flows are not supported - you must download the app from Google Play and be running on a real device for this to work.
• You must register the Google Play Signing Certificate if your app uses Play Signing (unless you were published prior to August 2021 and didn’t upgrade to Play Signing, you likely are using Play Signing).
• Also, ensure you are running the latest version of Google Play services.

Facing the same issue here, In addition the SMS that I receive no longer has the <AppName> but <FirebaseProjectId>.firebaseapp.com which usually appear in debug mode. I am not sure if both are linked issue. NOTE: It was working fine in my last to last PlayStore release until I have update some of the Firebase plugin from pub.dev, could not figure out which one.

[Lyokone]

We published a new version of firebase_core that includes some fixes on the Native SDK. Can you try to see if bumping your app to the latest firebase_core and firebase_auth package version solve the issue (don't hesitate to run flutterfire update to ensure that you are using the latest packages)

[belh-sara]

@nohe427 I'm currently using a Samsung Galaxy M31s with Android version 12 and Play Store version 35.3.10-21. Unfortunately, I'm still seeing the reCaptcha screen. However, I have confirmed that both keys are registered in Firebase console.

@kakky0418 & @belh-sara

• Can you provide some details on the device that you are using for testing?
• What happens when trying to use this flow? Are you still seeing the reCAPTCHA screen?
• Have you confirmed that the SHA256 and SHA1 for Play Signing is registered in the firebase console and is attributed to the app using Peter's Asset Link Tool?

[belh-sara]

@Lyokone I have updated to the latest version of firebase core but the problem still persists. Here are the dependencies in my pubspec.yaml file:

firebase_core: ^2.10.0
firebase_analytics: ^10.2.1
firebase_auth: ^4.4.2
firebase_messaging: ^14.4.1
firebase_dynamic_links: ^5.1.1
firebase_database: ^10.1.1
firebase_app_check: ^0.1.2+2
firebase_crashlytics: ^3.1.1

Additionally, the SMS that I receive no longer contains , but rather .firebaseapp.com as pointed out by @niladri-raychaudhuri.

We published a new version of firebase_core that includes some fixes on the Native SDK. Can you try to see if bumping your app to the latest firebase_core and firebase_auth package version solve the issue (don't hesitate to run flutterfire update to ensure that you are using the latest packages)

[Tchisky]

Same issue

[niladri-raychaudhuri]

We published a new version of firebase_core that includes some fixes on the Native SDK. Can you try to see if bumping your app to the latest firebase_core and firebase_auth package version solve the issue (don't hesitate to run flutterfire update to ensure that you are using the latest packages)

@Lyokone

I did a Playstore release yesterday upgrading the Firebase dependencies as follows:

firebase_core: ^2.10.0
  firebase_auth: ^4.4.2
  cloud_firestore: ^4.5.2
  firebase_storage: ^11.1.1
  firebase_dynamic_links: ^5.1.1
  firebase_app_check: ^0.1.2+2
  firebase_messaging: ^14.4.1
  cloud_functions: ^4.1.1

Also ran flutterfire update to make sure all the dependencies are upgraded in pubspec.lock

Activated AppCheck in Flutter as follows:

await FirebaseAppCheck.instance.activate(
      androidProvider: AndroidProvider.playIntegrity,
    );

Double checked all six SHA1 and SHA256 fingerprints in Firebase project settings and all 3 SHA256 in AppCheck panel.

Checked the device's Google Play Services and it does not show any update from which I assume its the latest version. (Showing version 23.13.12)

However, after the release, I downloaded and checked the login, the issues EXISTS

1. Redirecting to ReCaptcha page for validation.
2. The OTP sms does not have the AppName but the packagename.firebaseapp.com

NOTE: Requesting others to check in non-SAMSUNG device as all my phones are SAMSUNG model.

[AhmadHijazi6]

We published a new version of firebase_core that includes some fixes on the Native SDK. Can you try to see if bumping your app to the latest firebase_core and firebase_auth package version solve the issue (don't hesitate to run flutterfire update to ensure that you are using the latest packages)

@Lyokone

I did a Playstore release yesterday upgrading the Firebase dependencies as follows:

firebase_core: ^2.10.0
firebase_auth: ^4.4.2
cloud_firestore: ^4.5.2
firebase_storage: ^11.1.1
firebase_dynamic_links: ^5.1.1
firebase_app_check: ^0.1.2+2
firebase_messaging: ^14.4.1
cloud_functions: ^4.1.1

Also ran flutterfire update to make sure all the dependencies are upgraded in pubspec.lock

Activated AppCheck in Flutter as follows:

await FirebaseAppCheck.instance.activate(
      androidProvider: AndroidProvider.playIntegrity,
    );

Double checked all six SHA1 and SHA256 fingerprints in Firebase project settings and all 3 SHA256 in AppCheck panel.

Checked the device's Google Play Services and it does not show any update from which I assume its the latest version. (Showing version 23.13.12)

However, after the release, I downloaded and checked the login, the issues EXISTS

1. Redirecting to ReCaptcha page for validation.
2. The OTP sms does not have the AppName but the packagename.firebaseapp.com

NOTE: Requesting others to check in non-SAMSUNG device as all my phones are SAMSUNG model.

I did exactly as you, and downloaded the app from the Google Play Store on a Xiaomi device and yet getting redirecting to ReCaptcha page for validation and the OTP sms does not have the AppName but the packagename.firebaseapp.com. The device details: Brand: Xiaomi Model: Redmi Note 8 Version: Android 11

[kakky0418]

Have you confirmed that the SHA256 and SHA1 for Play Signing is registered in the firebase console and is attributed to the app using Peter's Asset Link Tool?

Yes. I checked again and it was fine.

The device details:

Brand: Google
Model: Google Pixel 3a XL
Version: Android 12

I seem to have a similar issue here https://github.com/invertase/react-native-firebase/issues/7030

[ridwan-aswan]

@Lyokone

I have the same issue, my app has been released on the Play Store, and all configurations are in accordance with the documentation. I updated my app's Firebase configuration using Firebase CLI, and I have done the following:

1. Setting in Play Console: App integrity > Integrity API > Google Cloud project (corresponding to the Firebase project)
2. Enabling in Firebase project: AppCheck > Play Integrity, with 3 Certificates:
   1. SHA-256 Certificate Debug
   2. SHA-256 Certificate Release
   3. SHA-256 Certificate Google Play Signing
3. Adding in Firebase Project Settings with 6 Certificates:
   1. SHA-1 Certificate Debug
   2. SHA-256 Certificate Debug
   3. SHA-1 Certificate Release
   4. SHA-256 Certificate Release
   5. SHA-1 Certificate Play Signing
   6. SHA-256 Certificate Play Signing
4. Registering SHA-1 certificate in the Google Cloud Console project
5. Using the latest Firebase libraries: firebase_core: ^2.10.0 firebase_auth: ^4.4.2 firebase_messaging: ^14.4.1 firebase_app_check: ^0.1.2+2

Before 2023, my app was running well (using SafetyNet). However, when I started the project again in early April 2023, which now uses Play Integrity, my app cannot send OTP SMS. I have tried various methods, including updating the Firebase libraries. Please help with this issue; I am using a Huawei P30 Pro.

I/PlayCore(18047): UID: [11078] PID: [18047] IntegrityService : requestIntegrityToken(IntegrityTokenRequest{nonce=Sn-xxxxxxxxxxxxxxxxxxx-xAc, cloudProjectNumber=xxxxxxxxxxx}) I/PlayCore(18047): UID: [11078] PID: [18047] IntegrityService : Initiate binding to the service. I/PlayCore(18047): UID: [11078] PID: [18047] IntegrityService : ServiceConnectionImpl.onServiceConnected(ComponentInfo{com.android.vending/com.google.android.finsky.integrityservice.IntegrityService}) I/PlayCore(18047): UID: [11078] PID: [18047] IntegrityService : linkToDeath I/PlayCore(18047): UID: [11078] PID: [18047] OnRequestIntegrityTokenCallback : onRequestIntegrityToken I/PlayCore(18047): UID: [11078] PID: [18047] IntegrityService : Unbind from service. E/FirebaseAuth(18047): [SmsRetrieverHelper] SMS verification code request failed: unknown status code: 18002 null

[firebase_auth/missing-client-identifier] This request is missing a valid app identifier, meaning that Play Integrity checks, SafetyNet checks, and reCAPTCHA checks were unsuccessful. Please try again, or check the logcat for more details.

[weixifan]

I want to clarify an incorrect assumption about App Check: The required Play Integrity protection (with reCAPTCHA fallback) on phone auth in Firebase Authentication is completely unrelated to Firebase App Check. These two mechanisms are distinct, and require separate configuration workflows (though you can use the same underlying Google Play app to set both up). Using App Check in your app does not automatically set up the Play Integrity piece in the phone auth set up flow.

[weixifan]

Regarding the fallback to reCAPTCHA, in addition to the above discussions, I also suggest using the following process to see what verdict Play Integrity is generating for your device. In the latest version of the Google Play Store app, you can find a new feature that lets you check how Play Integrity would evaluate your device and what labels it would generate for your device. Please follow these instructions to check the Play Integrity API device verdict for your device to see if there are any problems.

[nohe427]

Falling back to reCaptcha

If you are getting a reCaptcha screen, instead of the Play Integrity Verdict, we know about this issue. I will try to update the thread when I have more information.. -- UPDATE SEE THIS COMMENT https://github.com/firebase/flutterfire/issues/10593#issuecomment-1516913704

Failing to fallback to reCaptcha, and getting an error message

If you are getting a message about missing identifiers, please confirm the following:

The certificate fingerprints from the play console

match the fingerprints registered in the firebase console

which when using Peters Asset Link tool, also has a matching sha256 fingerprint

Both the SHA 1 and SHA 256 fingerprints need to be used in the Firebase console.

In previous testing, I have seen the following error messages relate to the following scenarios:

SHA256 debug key registered, no play store deployment under this package name

This request is missing a valid app identifier, meaning that Play Integrity checks, SafetyNet checks, and reCAPTCHA checks were unsuccessful. Please try again or check the logcat for more details.

SHA-256 Play Store Key Registered - Play Store Registration - Upload Key used for app signing but not registered in firebase console

The app is not authorized to use Firebase Authentication. Please verify that the correct package name and SHA-1 are configured in the Firebase console. [ A play_integrity_token was passed, but no matching SHA-256 was registered in the Firebase console. Please make sure that this application's packageName/SHA256 pair is registered in the Firebase Console. ]

For all of these error messages, make sure that you register both the upload key, debug key, and play signing key in the firebase console for the package you are working with. (both the sha1 and sha256 fingerprints)

UPDATE: If all signing keys are registered, see this comment -> https://github.com/firebase/flutterfire/issues/10593#issuecomment-1520911877

[nohe427]

For more updates on falling back to recaptcha, please check our Firebase status page.

Current status: Mitigation work is underway for restoring Play Integrity as the client verification mechanism.

[ridwan-aswan]

For more updates on falling back to recaptcha, please check our Firebase status page.

Current status: Mitigation work is underway for restoring Play Integrity as the client verification mechanism.

Has there been an update for this issue?

[luckyhandler]

There's also a discussion about this topic going on here: https://github.com/firebase/flutterfire/discussions/10523

[nohe427]

If reCaptcha is failing as a fallback (no sms message being sent)

Hey all, one last update for you. After doing some testing this morning, we discovered that if you have an API restriction on the Firebase generated keys in the Google Cloud Console, that since it falls back to reCaptcha in the browser, it does not pass the appropriate certificate fingerprints to the webview to run the reCaptcha flow but does pass the appropriate key. Since that key has an app restriction on it, but is being run from a different app (Chrome or browser vs your app), the app key is invalid since its not aligning with the app signature that supplied it. Your API key restriction page should look something like this:

WARNING

If you are currently using this API key for things outside of Firebase (other paid Google services), you could run into a potential abuse of your API key. Please consider creating separate API keys as outlined in this documentation. This is also called out specifically in the documentation here.

[nohe427]

For more updates on falling back to recaptcha, please check our Firebase status page. Current status: Mitigation work is underway for restoring Play Integrity as the client verification mechanism.

Has there been an update for this issue?

Please check out this information here : https://github.com/firebase/flutterfire/issues/10593#issuecomment-1520911877

If you have an API Key Restriction, you could be blocking reCaptcha from successfully running since it reuses the Android key to make the requests in a different application context (browser vs your app)

If you are still unable to get SMS messages after removing key restrictions due to reCaptcha failing, please let us know.

[Manjunathjm]

our Firebase status page

@nohe427 we are also facing the same issue. we have tried all that you have suggested and we are still getting the reCaptcha screen during the otp login flow.

[belh-sara]

@nohe427 After following your suggestion, I checked the key related to the reCaptcha bug and found that there were no restrictions applied to it.

[nohe427]

@belh-sara & @Manjunathjm - Are you still getting the SMS messages with OTP?

[Manjunathjm]

@nohe427 Yes, the SMS arrives, but the recaptcha screen is shown before the OTP is sent. which obviously is an unnecessary step in the flow. also the SM signature now shows "<>.firebaseapp.com (guess others have already highlighted this)

[hyperitycorp-jkh]

I've been watching every day, but I wonder when the problem will be resolved....

[nohe427]

@nohe427 Yes, the SMS arrives, but the recaptcha screen is shown before the OTP is sent. which obviously is an unnecessary step in the flow. also the SM signature now shows "<>.firebaseapp.com (guess others have already highlighted this)

The reCaptcha screen will be shown until Play integrity is restored as the client verification method. This status message will have the latest updates on when Play Integrity is restored: https://status.firebase.google.com/incidents/UY1LTFan8X5oybhphzfV

[belh-sara]

@nohe427 Yes, I did receive the SMS successfully. However, as I mentioned earlier, it is still displaying ".firebaseapp.com" instead of the app name.

[NaosFr]

We have a huge drop rate of users who do not receive the sms! Any news about the fix?

[nohe427]

We have a huge drop rate of users who do not receive the sms! Any news about the fix?

If they are not getting SMS, please check this comment: https://github.com/firebase/flutterfire/issues/10593#issuecomment-1520911877

Could you also kindly report the version of firebase_auth and firebase_core that you are using?

[nohe427]

@nohe427 Yes, I did receive the SMS successfully. However, as I mentioned earlier, it is still displaying ".firebaseapp.com" instead of the app name.

@Manjunathjm & @belh-sara

Could you send me a screenshot of the SMS message received? It should have the project name in there in front of firebaseapp.com

Feel free to DM me the screenshots on Twitter if you are uncomfortable posting here