Closed MoaidAlrazhy closed 2 weeks ago
Hi @MoaidAlrazhy - FlutterFire is downstream of the firebase android SDK. As this feedback illustrates, the solution is to loosen/forego the API restriction so that sign in with Apple works on android. There is nothing we can do about that on FlutterFire.
Thanks @russellwheatley for your prompt reply.
But isn't it security threat in that case ? because it's recommended to keep the key restricted to the needed platforms.
I believe adding a way where we can pass our web key as well to be used during the web view process instead of using the android key in the web context will solve the problem.
Is there an existing issue for this?
Which plugins are affected?
Auth
Which platforms are affected?
Android
Description
We have developed Sign in with Apple on Android and confirmed that it is working properly.
But, when we have restricted the API key to Android with fingerprint and package name in the Google Cloud Console, it does not work with the following error:
{"error":{"code":403,"message":"Requests from this Android client application <empty> are blocked.","errors":[{"message":"Requests from this Android client application <empty> are blocked.","domain":"global","reason":"forbidden"}],"status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"API_KEY_ANDROID_APP_BLOCKED","domain":"googleapis.com","metadata":{"service":"identitytoolkit.googleapis.com","consumer":"projects/xxxxxxx"}}]}}
When we remove the restriction on the API key on Google Cloud Console, everything works properly.
Reproducing the issue
Create a demo app (https://github.com/firebase/FirebaseUI-Android), implement the Sign in with Apple and restrict the API Key with fingerprint and package name on Google Cloud Console. Then, try to login with Apple.
Firebase Core version
2.4.0
Flutter Version
3.19.5
Relevant Log Output
Flutter dependencies
Expand
Flutter dependencies
snippet```yaml Replace this line with the contents of your `flutter pub deps -- --style=compact`. ```
Additional context and comments
below text is posted by Malcolm from firebase team , however my issue is that I want to keep my restrictions enabled ! what to do ?
Hey there, Malcolm from Firebase here!
This is a known behavior, and is due to the fact that Apple Sign-In is based on a Web flow - it kicks you to a browser to do the sign-in and then takes you back. As a result, your API key is used in a web context, so restricting your API key to only work on Android breaks this feature.
As is presently stands, API key restrictions provide minimal benefit for Android - all it does is make it so that certain headers must show up on the request in order to be accepted. We're working on better ways to solve this issue right now, but I would suggest foregoing API key restrictions for now (since it does very little) if you need to use Apple Sign-In.
Thanks, ~Malcolm
Originally posted by @malcolmdeck in https://github.com/firebase/firebase-android-sdk/issues/1757#issuecomment-655777739