search

firebase / flutterfire

šŸ”„ A collection of Firebase plugins for Flutter apps.
https://firebase.google.com/docs/flutter/setup
BSD 3-Clause "New" or "Revised" License
8.51k stars 3.92k forks source link

šŸ› [firebase_auth] No way to remove `email` and `name` scope when using Firebase Auth #11139

Open nilsreichardt opened 1 year ago

nilsreichardt commented 1 year ago

Bug report

Describe the bug When using the Firebase Auth Apple Sign In, there is no way to remove the email and name scope for Firebase Auth. This is a problem because you can't follow GDPR Art. 5 (c):

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (ā€˜data minimisationā€™);

Steps to reproduce

Steps to reproduce the behavior:

  1. Setup Apple Sign In
  2. Try to sign in with Apple

I have tested it on Web.

Expected behavior

A clear and concise description of what you expected to happen.

Sample project

Future<UserId> signInWithApple() async {
    final appleProvider = AppleAuthProvider();

    late UserCredential userCredential;
    if (kIsWeb) {
      userCredential =
          await FirebaseAuth.instance.signInWithPopup(appleProvider);
    } else {
      userCredential =
          await FirebaseAuth.instance.signInWithProvider(appleProvider);
    }

    return userCredential.user!.uid;
  }

Additional context

I would expect that

https://github.com/firebase/flutterfire/blob/70ab15390e5fd64be648de3500a9c34dde20f488/packages/firebase_auth/firebase_auth_platform_interface/lib/src/providers/apple_auth.dart#L59

would contain the two default scopes and that AppleAuthProvider has a method setScope or removeScope to remove the default scopes.

darshankawar commented 1 year ago

Thanks for the report @nilsreichardt https://github.com/firebase/flutterfire/issues/9471 removed the default scopes on iOS for apple sign-in. Is this issue to do the same but for web ?

nilsreichardt commented 1 year ago

I haven't tested it on iOS only on web

darshankawar commented 1 year ago

I am wondering how different is this issue from the linked one above. Can you please elaborate ?

google-oss-bot commented 1 year ago

Hey @nilsreichardt. We need more information to resolve this issue but there hasn't been an update in 7 weekdays. I'm marking the issue as stale and if there are no new updates in the next 7 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

nilsreichardt commented 1 year ago

https://github.com/firebase/flutterfire/assets/24459435/afe4457f-01f5-42ca-9a6f-0af186782d1a

Source code: https://github.com/nilsreichardt/ankigpt/blob/53d3fce88d55744e7af99a39434ddbcaeb79f780/lib/src/infrastructure/user_repository.dart#L54

@darshankawar As you can in the video the scopes Email and Name are requested.

darshankawar commented 1 year ago

Thanks for the update.

/cc @Lyokone

alexda12 commented 4 months ago

@nilsreichardt @darshankawar Does this mean that Firebase Auth is NOT GDPR compliant ?

Additionally - where is the data stored , with Firestore/storage - we get to choose the locations - but what about firebase auth ?

Lastly - if firebase auth was used without social provider login (i.e no gmail, apple sign in etc) and just the standard email/password - would this then make Firebase auth GDPR compliant ?