🐛 [firebase_auth] Auth with Google Sign In provider used to work but does not any more as of 06.11.2020

[wujek-srujek]

Bug report

Describe the bug

I have a Flutter app that I deployed on both iOS and Android. It uses Firebase Auth with Google Sign In as the sole provider and uses that information for Cloud Firestore.

The whole setup used to work in the last months without issues, but suddenly it stopped working yesterday for both iOS and Android, without any recent change in code, nor any changes in Firebase or Google Cloud Console for the project. (Anything related to auth has been set up using Google Cloud Console once a few months ago and I haven't visited the page since, so no possibility of accidental changes.)

I have tried updating to the latest version of Firebase dependencies, but the issue persists no matter which version of the app I run (I even went a few months back to a version that uses older dependency versions and Flutter).

Has anything changed recently, is there a need to change some configuration of some kind? It's very weird it decided to suddenly stop working.

---

Additional context

As mentioned, it all used to work, so all the configuration steps for both Android and iOS have been successfully executed previously (i.e Info.plist and GoogleService-Info.plist for iOS, and google-services.json are correctly configured). Here is the Dart code excerpt that I'm using (simplified, but reproduces the issue):

final googleSignIn = GoogleSignIn.standard();
final firebaseAuth = FirebaseAuth.instance;

try {
  final account = await googleSignIn.signIn();
  if (account == null) {
    return null;
  }

  final authentication = await account.authentication;
  final credential = GoogleAuthProvider.credential(
    accessToken: authentication.accessToken,
    idToken: authentication.idToken,
  );
  // Until this point, everything works.
  // The following line always throws.
  await firebaseAuth.signInWithCredential(credential);

  return account;
} on Exception catch (e) {
  await googleSignIn.signOut();
}

When I debug, I can see the following values (tokens shortened/anonymized):

authentication.accessToken is ya29.A0... authentication.idToken is eyJh...

Most importantly, after decoding the JWT idToken I can see:

"sub": "110936323635681989486"
"azp": "472855685654-tu36..."
"aud": "472855685654-tu36..."

When I issue a HTTP GET to https://www.googleapis.com/oauth2/v3/userinfo with Authorization: Bearer ya29.A0... (the accessToken), I get (among others):

{
  "sub": "110936323635681989486",
  "name": "Wujek Srujek",
  ...
}

In other words, I have been successfully signed in with Google, I got valid tokens and the data in idToken is consistent with what the userinfo endpoint returns for the accessToken.

In the app, this line fails:

await firebaseAuth.signInWithCredential(credential);

always throws FirebaseAuthException with

code: 'invalid-credential'
message: 'OAuth2 client id in access token audience is not found.'

I.e. somehow it says that it either can't find a client id in access token audience field (aud), or that the client id that it can extract from the token cannot be found in Firebase (at least I understand it like this, the error message is ambiguous).

I triple checked Auth configuration in Google Cloud Console and API keys, bundle id (iOS), signing key SHA (Android) are all correct. Here is a screenshot where you can see that client ids start with the same strings as the ones in idToken 'azp' and 'aud' fields.

---

Flutter doctor

Run flutter doctor and paste the output below:

Click To Expand

``` Doctor summary (to see all details, run flutter doctor -v): [✓] Flutter (Channel stable, 1.22.3, on Mac OS X 10.15.7 19H2, locale en-DE) [✓] Android toolchain - develop for Android devices (Android SDK version 29.0.3) [✓] Xcode - develop for iOS and macOS (Xcode 12.1) [!] Android Studio (version 4.1) ✗ Flutter plugin not installed; this adds Flutter specific functionality. ✗ Dart plugin not installed; this adds Dart specific functionality. [✓] VS Code (version 1.51.0) [✓] Connected device (1 available) ! Doctor found issues in 1 category. ```

You will very likely know this, but please note that I don't code in Android Studio so don't need the plugins there, and also the missing plugins play no role whatsoever.

---

Flutter dependencies

Run flutter pub deps -- --style=compact and paste the output below:

Click To Expand

``` Dart SDK 2.10.3 Flutter SDK 1.22.3 xxxxxx 1.0.0+1 dependencies: - blocs 0.0.0 [bloc equatable flutter google_sign_in meta pedantic rxdart repository model] - cloud_firestore 0.14.2 [flutter meta quiver firebase_core firebase_core_platform_interface cloud_firestore_platform_interface cloud_firestore_web] - firebase_crashlytics 0.2.2 [flutter stack_trace firebase_core firebase_core_platform_interface firebase_crashlytics_platform_interface] - flutter 0.0.0 [characters collection meta typed_data vector_math sky_engine] - flutter_bloc 6.0.6 [flutter bloc provider] - flutter_slidable 0.5.7 [flutter] - googleapis 0.56.1 [_discoveryapis_commons http] - http 0.12.2 [http_parser path pedantic] - meta 1.3.0-nullsafety.3 - model 0.0.0 [equatable meta] - repository 0.0.0 [cloud_firestore firebase_auth flutter google_sign_in googleapis http meta rxdart] dev dependencies: - effective_dart 1.3.0 - flutter_launcher_icons 0.8.1 [image args yaml path] - pedantic 1.9.2 [meta] transitive dependencies: - _discoveryapis_commons 0.2.0 [http] - archive 2.0.13 [crypto args path] - args 1.6.0 - bloc 6.1.0 [meta] - characters 1.1.0-nullsafety.3 - charcode 1.1.3 - cloud_firestore_platform_interface 2.1.3 [flutter meta collection firebase_core plugin_platform_interface] - cloud_firestore_web 0.2.0+5 [flutter flutter_web_plugins firebase http_parser meta firebase_core cloud_firestore_platform_interface js] - collection 1.15.0-nullsafety.3 - convert 2.1.1 [charcode typed_data] - crypto 2.1.5 [collection convert typed_data] - equatable 1.2.5 [collection meta] - firebase 7.3.2 [http http_parser js] - firebase_auth 0.18.2 [meta firebase_core firebase_core_platform_interface firebase_auth_platform_interface firebase_auth_web flutter] - firebase_auth_platform_interface 2.1.2 [flutter meta firebase_core plugin_platform_interface] - firebase_auth_web 0.3.1+2 [flutter flutter_web_plugins firebase meta http_parser intl firebase_core firebase_auth_platform_interface js] - firebase_core 0.5.1 [firebase_core_platform_interface flutter quiver meta firebase_core_web] - firebase_core_platform_interface 2.0.0 [flutter meta plugin_platform_interface quiver] - firebase_core_web 0.2.0 [firebase firebase_core_platform_interface flutter flutter_web_plugins meta js] - firebase_crashlytics_platform_interface 1.1.2 [flutter meta collection firebase_core plugin_platform_interface] - flutter_web_plugins 0.0.0 [flutter characters collection meta typed_data vector_math] - google_sign_in 4.5.6 [google_sign_in_platform_interface flutter meta google_sign_in_web] - google_sign_in_platform_interface 1.1.2 [flutter meta quiver] - google_sign_in_web 0.9.2 [google_sign_in_platform_interface flutter flutter_web_plugins meta js] - http_parser 3.1.4 [charcode collection source_span string_scanner typed_data] - image 2.1.18 [archive xml meta] - intl 0.16.1 [path] - js 0.6.2 - matcher 0.12.9 [stack_trace] - nested 0.0.4 [flutter] - path 1.7.0 - petitparser 3.1.0 [meta] - plugin_platform_interface 1.0.3 [meta] - provider 4.3.2+2 [flutter nested collection] - quiver 2.1.5 [matcher meta] - rxdart 0.24.1 - sky_engine 0.0.99 - source_span 1.7.0 [charcode collection meta path term_glyph] - stack_trace 1.9.6 [path] - string_scanner 1.0.5 [charcode meta source_span] - term_glyph 1.1.0 - typed_data 1.3.0-nullsafety.3 [collection] - vector_math 2.1.0-nullsafety.3 - xml 4.5.1 [collection convert meta petitparser] - yaml 2.2.1 [charcode collection string_scanner source_span] ```

Please note that blocs, model and repository are internal packages in the same repository.

---

[szysz3]

The same on my side. Google auth used to work till yesterday. No code changes. I get:

PlatformException(ERROR_INVALID_CREDENTIAL, The supplied auth credential is malformed or has expired. [ OAuth2 client id in access token audience is not found. ], null, null)

[wujek-srujek]

Not sure if this is relevant, but both myself and @szysz3, who is also experiencing the issue, come from the same European country so we very likely use the same regions etc. (I'm using eur3 (europe-west) as default GCP location).

[outoforder20]

I am not using this lib but 3 of my firebase projects with "google sign in" and have the exact problem

check your OAuth consent screen -edit app -> i added support email and all "Your non-sensitive scopes" https://console.developers.google.com/apis/credentials/consent

@wujek-srujek (I'm using eur3 (europe-west) as default GCP location). 3 days passed no clue - what is happening

I will try this now : https://github.com/firebase/quickstart-js/blob/master/auth/google-credentials.html

[wujek-srujek]

I have just created a new Flutter app with a new bundle id/package, with a new Firebase project, and a new Google Cloud project, configured everything, used the code above as is and it works. I am now looking through all the configuration, and it is the same. I'm at a loss.

The only thing is the consent screen configuration: in my new app the status is 'Verification not required', but in the older one it is ' Verification in progress'. It has been like that for ever, the reason was that a long time ago I set the app logo (which is still set), and suddenly verification was necessary, and I haven't touched it ever since. Could this be the reason? And what is taking Google so long? It is kind of silly anyway that adding a logo requires verification...

[outoforder20]

You can sign in 100 times without consent screen verification @wujek-srujek

I removed google sign in and tried: https://github.com/firebase/quickstart-js/blob/master/auth/email-password.html works normally.

Problem is between google sign in and firebase auth

This also works fine in new project : https://github.com/firebase/quickstart-js/blob/master/auth/google-credentials.html

[wujek-srujek]

What do you mean 100 times without consent screen verification? Per day or in total? Is it something that is Firebase Auth specific or Google provider specific? Would you have a link?

The problem is, the verification started many months ago and I completely forgot about it until now, but it still says it's waiting. How long does Google need? It says 4-6 weeks there but it has definitely been way longer for my app.

[outoforder20]

@wujek-srujek https://support.google.com/cloud/answer/7454865?hl=en

I tried https://github.com/firebase/quickstart-js/blob/master/auth/google-popup.html and https://github.com/firebase/quickstart-js/blob/master/auth/google-redirect.html

Error 401: deleted_client The OAuth client was deleted.

Current and new client id did not work with popup and redirect.

Github login also worked..

I need oauth2 login because my app is in google home

[wujek-srujek]

It says it's not 100 times, but rather 100 users in total (i.e. I can log in with the same user 200 times, that's how I understand). There is no way I've exceeded this limit.

Anyway, the verification process is a bit concerning. My app has a custom logo and uses the 'drive.file' scope, which is 'sensitive', but it apparently takes ages for Google to verify it. How can I use and publicize my app if it takes so long?

@szysz3 Are you using any scopes or custom icon? What does your consent screen page say about the status?

[szysz3]

@wujek-srujek yes, custom logo but no scopes. Mine is still in verification as well and it might be the case.

I'll keep you informed once I know more. For now I'm playing a ping pong game with 'The Google Cloud Trust & Safety Team' (and had to bypass google sign in).

[wujek-srujek]

@szysz3 My issue is I have never got any email from them, and it's been so long that I forgot about the consent screen altogether. How long ago did you start the process?

[bartekpacia]

I have the same problem. Everything was working fine and now, all of a sudden, nobody can use my app (sign in with Google is my only auth method). This is ridiculous! As soon as somebody finds any solution, please let us know🙏

[wujek-srujek]

For the time being I have disabled the line

await firebaseAuth.signInWithCredential(credential);

as I actually don't need the Firebase user abstraction in my app. Instead, I sign in anonymously and have updated my security rules for Firestore accordingly (I didn't want to expose it with no auth whatsoever, anonymous is better than nothing, I guess) and it is a temporary fix for my app. I need to roll this out to all of my users, a less than optimal situation.

I still log in using Google Sign In as I need its authentication for Google Drive, and it all works, which to me is a proof the consent screen has nothing to do with this issue, and it is something with Firebase.

[outoforder20]

4 days after my apps are working normally without changing code.

Do you have problem now?

[wujek-srujek]

@outoforder20 I'm still having the same issue.

[nilsreichardt]

Same issue. Nothing changed. Since yesterday Google Sign In is not working anymore for all our platforms (Android, iOS, Web & macOS). I checked the Keys in GCP and they are right.

We are using Flutter & Firebase. Flutter packages: google_sign_in & firebase_auth

[wujek-srujek]

@AndroidNils Please note that at least in my case, Google Sign In is working fine, I get fully functional tokens. It's the FirebaseAuth.signInWithCredential call that fails.

[nilsreichardt]

@wujek-srujek Yes, I know. We have the same issue. I mentioned that we are using google_sign_in, because other providers like Apple Sign In with FirebaseAuth.signInWithCredential are working fine.

[nilsreichardt]

Seems to be an Firebase issue. So I created a P1 issue ticket to the Google Cloud Platform support. Finally I can take advantage of the Gold Level Support we bought 😅 I will keep you up to date!

[nilsreichardt]

The GCP support was very confused about this issue, but after a couple of hours they fixed it ❤️ I can also confirm the fix. Google Sign In is now working again 😁

So I think we can close this ticket.

[wujek-srujek]

I've just tested it and it does indeed work again. @AndroidNils, a knight in a shining armour.

[markusaksli-nc]

Based on the last few comments closing this as fixed.

Thanks for elevating this @AndroidNils!

[rajnis09]

This issue still persists. Google Sign In is still not working in my application which used to work before. I haven't changed any code.

Below is the code which I am using for Google Sign In:

import 'dart:async';

import 'package:flutter/services.dart';
import 'package:google_sign_in/google_sign_in.dart';
import 'package:firebase_auth/firebase_auth.dart' as firebase_auth;

import './user_profile.dart';

class Auth {
  final firebase_auth.FirebaseAuth _auth = firebase_auth.FirebaseAuth.instance;
  final GoogleSignIn _googleSignIn = GoogleSignIn();
  firebase_auth.User _user;

  Future<int> signInWithGoogle() async {
    int res = 0;
    print("Checkpoint 1");
    print(_auth);
    print(_googleSignIn);
    print("Checkpoint 2");
    try {
      print("Checkpoint 3");
      final GoogleSignInAccount googleSignInAccount =
          await _googleSignIn.signIn();
      final GoogleSignInAuthentication googleSignInAuthentication =
          await googleSignInAccount.authentication;
      print(googleSignInAccount);
      print(googleSignInAuthentication);
      print("Checkpoint 4");
      final firebase_auth.AuthCredential credential =
          firebase_auth.GoogleAuthProvider.credential(
        accessToken: googleSignInAuthentication.accessToken,
        idToken: googleSignInAuthentication.idToken,
      );
      firebase_auth.UserCredential authResult =
          await _auth.signInWithCredential(credential);

      if (authResult.additionalUserInfo.isNewUser) {
        res = 1;
      }
      print("Checkpoint 5");
      _user = authResult.user;
      userProfile.setUser(
          userName: _user.displayName,
          email: _user.email,
          photoURL: _user.photoURL ?? null,
          lastSignInTime: _user.metadata.lastSignInTime ?? null);
    } on firebase_auth.FirebaseAuthException catch (e) {
      switch (e.code) {
        case 'invalid-credential':
          res = 2;
          break;
        case 'user-disabled':
          res = 3;
          break;
        default:
          res = 4;
          break;
      }
    } on Exception catch (e) {
      print(e);
      // print(e.code);
      // print(e.message);
      res = 4;
    }
    print("Checkpoint 6: $res");
    return res;
  }

  firebase_auth.User getCurrentUser() {
    try {
      _user = _auth.currentUser;
      if (_user != null) {
        userProfile.setUser(
            userName: _user.displayName,
            email: _user.email,
            photoURL: _user.photoURL ?? null,
            lastSignInTime: _user.metadata.lastSignInTime ?? null);
      }
    } catch (e) {
      _user = null;
      print('authHandler: error in currentUser $e');
    }
    return _user;
  }

  Future<void> userReload() async {
    try {
      _user = _auth.currentUser;
      if (_user != null) {
        await _user.reload();
        _user = _auth.currentUser;
      }
    } catch (e) {
      print("authHandler: Error in userReload $e");
      _user = null;
    }
  }

  void signOut() async {
    await _googleSignIn?.signOut();
    await _auth?.signOut();
  }
}

final Auth authHandler = Auth();

Below is the output I am getting on the debug console:

Launching lib\main.dart on CPH1859 in debug mode... lib\main.dart Parameter format not correct - √ Built build\app\outputs\flutter-apk\app-debug.apk. Connecting to VM Service at ws://127.0.0.1:54296/X0vPunMsn1U=/ws I/flutter (23240): Checkpoint 1 I/flutter (23240): FirebaseAuth(app: [DEFAULT]) I/flutter (23240): Instance of 'GoogleSignIn' I/flutter (23240): Checkpoint 2 I/flutter (23240): Checkpoint 3 W/ActivityThread(23240): handleWindowVisibility: no activity for token android.os.BinderProxy@107e73d V/PhoneWindow(23240): DecorView setVisiblity: visibility = 4, Parent = null, this = DecorView@5b7a3a9[] D/WindowClient(23240): Add to mViews: DecorView@5b7a3a9[SignInHubActivity], this = android.view.WindowManagerGlobal@b16677a D/ViewRootImpl[SignInHubActivity](23240): hardware acceleration = true , fakeHwAccelerated = false, sRendererDisabled = false, forceHwAccelerated = false, sSystemRendererDisabled = false I/InputTransport(23240): Create ARC handle: 0x761f593400 V/PhoneWindow(23240): DecorView setVisiblity: visibility = 0, Parent = android.view.ViewRootImpl@5bdd165, this = DecorView@5b7a3a9[SignInHubActivity] D/Surface (23240): Surface::allocateBuffers(this=0x7603a8c000) D/Surface (23240): Surface::connect(this=0x7603a8c000,api=1) D/mali_winsys(23240): EGLint new_window_surface(egl_winsys_display *, void *, EGLSurface, EGLConfig, egl_winsys_surface **, EGLBoolean) returns 0x3000 V/PhoneWindow(23240): DecorView setVisiblity: visibility = 0, Parent = android.view.ViewRootImpl@5bdd165, this = DecorView@5b7a3a9[SignInHubActivity] V/PhoneWindow(23240): DecorView setVisiblity: visibility = 0, Parent = android.view.ViewRootImpl@e6d6b2b, this = DecorView@7577a5[MainActivity] V/PhoneWindow(23240): DecorView setVisiblity: visibility = 4, Parent = android.view.ViewRootImpl@5bdd165, this = DecorView@5b7a3a9[SignInHubActivity] D/Surface (23240): Surface::disconnect(this=0x7603a8c000,api=1) D/View (23240): [Warning] assignParent to null: this = DecorView@5b7a3a9[SignInHubActivity] I/InputTransport(23240): Destroy ARC handle: 0x761f593400 I/Choreographer(23240): Skipped 3 frames! The application may be doing too much work on its main thread. D/Surface (23240): Surface::disconnect(this=0x761f52f000,api=1) D/Surface (23240): Surface::disconnect(this=0x761f52f000,api=-1) D/Surface (23240): Surface::disconnect(this=0x761f52e000,api=1) V/PhoneWindow(23240): DecorView setVisiblity: visibility = 4, Parent = android.view.ViewRootImpl@e6d6b2b, this = DecorView@7577a5[MainActivity] V/PhoneWindow(23240): DecorView setVisiblity: visibility = 0, Parent = android.view.ViewRootImpl@e6d6b2b, this = DecorView@7577a5[MainActivity] I/Choreographer(23240): Skipped 1 frames! The application may be doing too much work on its main thread. D/Surface (23240): Surface::connect(this=0x761f52e000,api=1) D/mali_winsys(23240): EGLint new_window_surface(egl_winsys_display *, void *, EGLSurface, EGLConfig, egl_winsys_surface **, EGLBoolean) returns 0x3000 D/Surface (23240): Surface::connect(this=0x7603a37000,api=1) D/mali_winsys(23240): EGLint new_window_surface(egl_winsys_display *, void *, EGLSurface, EGLConfig, egl_winsys_surface **, EGLBoolean) returns 0x3000 I/Choreographer(23240): Skipped 5 frames! The application may be doing too much work on its main thread.

The app is not crashing and not reaching checkpoint 4 (used for debugging purpose). It displays pop- up for all the google account for sign in and after selecting one of them, it just does nothing and doesn't even lag or hang at the moment,

[√] Flutter (Channel stable, 1.22.3, on Microsoft Windows [Version 10.0.18363.1139], locale en-US)
    • Flutter version 1.22.3 at C:\flutter
    • Framework revision 8874f21e79 (2 weeks ago), 2020-10-29 14:14:35 -0700
    • Engine revision a1440ca392
    • Dart version 2.10.3

[√] Android toolchain - develop for Android devices (Android SDK version 29.0.3)
    • Android SDK at C:\Users\Atomix\AppData\Local\Android\sdk
    • Platform android-30, build-tools 29.0.3
    • Java binary at: C:\Program Files\Android\Android Studio\jre\bin\java
    • Java version OpenJDK Runtime Environment (build 1.8.0_212-release-1586-b04)
    • All Android licenses accepted.

[√] Android Studio (version 3.6)
    • Android Studio at C:\Program Files\Android\Android Studio
    • Flutter plugin version 45.1.1
    • Dart plugin version 192.7761
    • Java version OpenJDK Runtime Environment (build 1.8.0_212-release-1586-b04)

[√] VS Code (version 1.51.0)
    • VS Code at C:\Users\Atomix\AppData\Local\Programs\Microsoft VS Code
    • Flutter extension version 3.16.0

[√] Connected device (1 available)
    • CPH1859 (mobile) • IN8PVWSGQO6TT8TS • android-arm64 • Android 9 (API 28)

• No issues found! ```

Can someone look into it?

[wujek-srujek]

This seems like an unrelated issue, I have just checked and I can log in in my app.

[nilsreichardt]

I agree with @wujek-srujek. This seems to be an unrelated issue. In our app everything works.

[rajnis09]

@wujek-srujek @AndroidNils maybe you are able to log in to your app but I am not able to do. I haven't changed a single line of code, it was working nice. I searched about this issue and got this on Github so I asked.

Still, if it seems unrelated then can you help me to know what kind of issue it is?

[bartekpacia]

Sign-in/Log-in/Log-out work fine in my apps. I know how it feels @rajnis09 when stuff just breaks randomly, good luck.

[rajnis09]

well thanks, @bartekpacia for your feedback.