search

firebase / flutterfire

🔥 A collection of Firebase plugins for Flutter apps.
https://firebase.google.com/docs/flutter/setup
BSD 3-Clause "New" or "Revised" License
8.44k stars 3.91k forks source link

[firebase_auth]: <Requests from this Android client application <empty> are blocked.> #12727

Closed MoaidAlrazhy closed 2 weeks ago

MoaidAlrazhy commented 2 weeks ago

Is there an existing issue for this?

Which plugins are affected?

Auth

Which platforms are affected?

Android

Description

We have developed Sign in with Apple on Android and confirmed that it is working properly.

But, when we have restricted the API key to Android with fingerprint and package name in the Google Cloud Console, it does not work with the following error:

{"error":{"code":403,"message":"Requests from this Android client application <empty> are blocked.","errors":[{"message":"Requests from this Android client application <empty> are blocked.","domain":"global","reason":"forbidden"}],"status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"API_KEY_ANDROID_APP_BLOCKED","domain":"googleapis.com","metadata":{"service":"identitytoolkit.googleapis.com","consumer":"projects/xxxxxxx"}}]}}

When we remove the restriction on the API key on Google Cloud Console, everything works properly.

Reproducing the issue

Create a demo app (https://github.com/firebase/FirebaseUI-Android), implement the Sign in with Apple and restrict the API Key with fingerprint and package name on Google Cloud Console. Then, try to login with Apple.

Firebase Core version

2.4.0

Flutter Version

3.19.5

Relevant Log Output

W/System  (14503): Ignoring header X-Firebase-Locale because its value was null.
D/TrafficStats(14503): tagSocket(138) with statsTag=0xffffffff, statsUid=-1
D/TrafficStats(14503): tagSocket(136) with statsTag=0xffffffff, statsUid=-1
I/GenericIdpActivity(14503): Opening IDP Sign In link in a custom chrome tab.

Flutter dependencies

Expand Flutter dependencies snippet
```yaml Replace this line with the contents of your `flutter pub deps -- --style=compact`. ```

Additional context and comments

below text is posted by Malcolm from firebase team , however my issue is that I want to keep my restrictions enabled ! what to do ?

Hey there, Malcolm from Firebase here!

This is a known behavior, and is due to the fact that Apple Sign-In is based on a Web flow - it kicks you to a browser to do the sign-in and then takes you back. As a result, your API key is used in a web context, so restricting your API key to only work on Android breaks this feature.

As is presently stands, API key restrictions provide minimal benefit for Android - all it does is make it so that certain headers must show up on the request in order to be accepted. We're working on better ways to solve this issue right now, but I would suggest foregoing API key restrictions for now (since it does very little) if you need to use Apple Sign-In.

Thanks, ~Malcolm

Originally posted by @malcolmdeck in https://github.com/firebase/firebase-android-sdk/issues/1757#issuecomment-655777739

russellwheatley commented 2 weeks ago

Hi @MoaidAlrazhy - FlutterFire is downstream of the firebase android SDK. As this feedback illustrates, the solution is to loosen/forego the API restriction so that sign in with Apple works on android. There is nothing we can do about that on FlutterFire.

MoaidAlrazhy commented 2 weeks ago

Thanks @russellwheatley for your prompt reply.

But isn't it security threat in that case ? because it's recommended to keep the key restricted to the needed platforms.

I believe adding a way where we can pass our web key as well to be used during the web view process instead of using the android key in the web context will solve the problem.