I am sorry i have much trouble understanding Firebase Dynamic links.
My use case is : a user wants to reset his password from the mobile app (or send an email verification).
The request is made using Firebase Authentication with a custom handler (with custom domain : https://example.com/auth)
The ActionCodeSettings looks like :
final ActionCodeSettings codeSettings = ActionCodeSettings(
url: 'https://links.example.com/auth?email=$email',
iOSBundleId: Constants.iosBundleID,
androidPackageName: Constants.androidBundleID,
androidInstallApp: true,
dynamicLinkDomain: "links.example.com",
);
The user clicks on the link he received by email and gets redirected to the website (hosted by Firebase Hosting under : example.com)
When the user has finished resetting his password, i would expect to redirect him by "launching" the continueUrl that should take him back to the mobile app. continueUrl : 'https://links.example.com/auth?email=$email'
However this doesn't work so i am guessing that i am doing something wrong somewhere.
In my iOS config, i have added the Associated Domains as : applinks:links.example.com.
In the Info.plist file i have added :
<key>FirebaseDynamicLinksCustomDomains</key>
<array>
<string>https://links.example.com/auth</string>
</array>
(and have also tried with : <string>https://links.example.com</string>)
In my Android config I have added this to my AndroidManifest.xml :
<intent-filter>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
<data android:host="links.example.com" android:scheme="https"/>
</intent-filter>
Fun fact, on Android after the above steps are completed (on website from the smartphone), if i launch the continueUrl it prompts the user whether to redirect back to the app or stay on the browser to open the URL.
I have of course created a sub-domain : links.example.com in the Firebase Dynamic links console as an URL prefix.
Here are my questions :
Is the continueUrl supposed to redirect back to the app ?
In the ActionCodeSettings continueUrl described above is correct? I see in the documentation always using example.com as the continueUrl, but it would be in conflict with the custom domain used for hosting right ? So i have put links.example.com as the continueUrl and the custom Firebase auth handler is example.com/auth to indeed redirect to the correct web page in my website.
What is the Hosting firebase.json configuration for such case ?
The final link looks like this :
https://example.com/auth?mode=resetPassword&oobCode=T0qn8aj_p7TJBWyE5eUh7_7ZwIqwtJ7Q-i8LDf4QrIsAAAF_u6Bi6Q&apiKey=AIzaSyAzPqhZFKAyfQDeN4DGGjI9VCTEBe_mLc4&continueUrl=https%3A%2F%2Flinks.example.com%3Flink%3Dhttps%3A%2F%2Flinks.example.com%2Fauth%3Femail%253Dtestmail12%40gmail.com%26apn%3Dcom.example.android%26amv%26ibi%3Dcom.example.ios%26ifl%3Dhttps%3A%2F%2Flinks.example.com%2Fauth%3Femail%253Dtestmail12%40gmail.com&lang=fr
Do you see anything wrong or missing ? Something that would prevent the mobile app redirection after the operation completes ?
What should I do with the continueUrl param to gets redirected to the app ? Is it automatically done after some event or should the developer writes code to "push" a new web page containing this link and it will see automatically that's not a link to handle in a web page, thus redirect to the mobile app ?
Thanks a lot in advance for any explanations on how this works !
I have finally understood how this works :
The continueUrl must be the one used to handle back in the mobile app so if you use :
url: 'https://links.example.com/auth?email=$email',
This means you have to create a dynamic link prefix URL : https://links.example.com/auth in the firebase console.
You must also add it to your iOS Info.plist file as stated in the question.
Also, when you use a custom domain you need to make sure as stated in the documentation that the URL prefix and the domain are different such as :
https://link.example.com/?link=https://example.com/my-resource
And not :
https://example.com/?link=https://example.com/my-resource
This means that by using https://links.example.com/auth as URL prefix, you need to use another domain to deal with the link.
In my case, i have built the url this way :
https://links.example.com/?link=https://redirect.example.com/auth
And added https://redirect.example.com/auth as URL prefix.
This prevent both conflicts between example.com at the hosting level and links.example.com from having both link domain name AND Url prefix identical.
Also, don't forget to add new dynamic links domain as whitelisted domains in the Firebase Authentication Sign-In methods in Firebase console or you will get a domain-denied error.
Hope this will help others to understand better how this works.
Related
Here is my Firebase Dynamic Links page:
On running this command: npx uri-scheme open "https://app.page.link" --android - notice there is no query params in the link, a web page is opened on Android as expected, but with the following content:
It is working find when I add /c8Ci or /bbb at the end, but it throws me the error above when the link is clear (without any query params)
To be short:
Android:
https://app.page.link/bbb - success (app launched)
https://app.page.link/c8Ci - success (app launched)
https://app.page.link - fail
iOS
https://app.page.link/bbb - success (app launched)
https://app.page.link/c8Ci - success (app launched)
https://app.page.link - success (app launched)
Can you please help me to figure out what's wrong with my Dynamic Linking.
Thank you mates in advance!
It is an expected behavior when you try to open the "https://app.page.link" directly, as its purpose is solely for Dynamic Links domain only. Note that Firebase provides a default 'page.link' subdomain for your Dynamic Links for free, this is because you can't use the same domain for both Dynamic Links and regular hosting. The domain is not configured to behave as a regular Hosting domain.
This is why configuring a short link URL allows you to redirect your users to you app. And visiting the domain directly returns an invalid page.
As for iOS, I can only assume it was cached that’s why it worked.
I guess it is best reaching out directly to Firebase support regarding this as there could be any other underlying reasons that could cause this.
I am implementing discord oauth2 in nextjs and I am having a problem when I deploy to amplify, it works fine in my localhost but it fails in production, my implementation looks like this in the profile page for someone to link their discord account
<a className="text-indigo-800" href={`https://discord.com/api/oauth2/authorize?client_id=${NEXT_PUBLIC_DISCORD_API_ID}&redirect_uri=${NEXT_PUBLIC_DISCORD_REDIRECT_URI}&response_type=code&scope=identify`}>
{" "}{userData.discordUsername || 'Link account'}
</a>
this creates a link that someone can click and they are taken to discord to authenticate, till there everything seem ok, the problem comes now when discord redirects to /api/verify-acount
which looks like this
const discordLink = async (req: NextApiRequest, res: NextApiResponse) => {
console.log("query", req.query);
}
as you can see I ended up knowing the error was here coz I logged req.query which return an object in localhost with the code for user query { code: 'somecode' } but in amplify after going to couldwatch to see the logs then the object is empty
this ends up messing up everything from there as the code is not available to verify and get user details to store in the database.
what I don't know is exactly what caused this error.
I hope someone has idea and will be willing to help thanks
the issue was actually weird and I still don't understand why it had to happen
but my redirect domain was https://subdomain.domain.zyx which amplify accepts and redirects requests to https://www.subdomain.domain.zyx which is the accepted link in the browser (users will always see this even if they enter the first URL) coz of the explained scenario (no www prefix for one of them)
so I was requesting to link discord from https://www.subdomain.domain.zyx and discord would redirect to https://subdomain.domain.zyx and AWS would redirect to https://www.subdomain.domain.zyx so what I still don't understand is where the query params got lost in these steps but after changing redirect URL in discord to https://www.subdomain.domain.zyx then everything works fine now
Manifest version 3 for Chrome extensions have been killing me lately. Been able to navigate around it so far, but this one has really stumped me. I'm trying to use Firebase authentication for a Chrome extension, specifically with 3rd party auth providers such as Google and Facebook. I've setup the Firebase configuration for Login with Google and created a login section in the options page of the Chrome extension and setup the Firebase SDK.
Now, there are two login options when using an auth provider, signInWithRedirect and signInWithPopup. I've tried both of these and both have failed for different reasons. signInWithRedirect seems like a complete dead end as it redirects to the auth provider, and when it attempts to redirect back to the chrome-extension://.../options.html page, it just redirects to "about:blank#blocked" instead.
When attempting to use signInWithPopup, I instead get
Refused to load the script 'https://apis.google.com/js/api.js?onload=__iframefcb776751' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
In v2, you could simply add https://apis.google.com to the content_security_policy in the manifest. But in v3, the docs say
"In addition, MV3 disallows certain CSP modifications for extension_pages that were permitted in MV2. The script-src, object-src, and worker-src directives may only have the following values:"
self
none
Any localhost source, (http://localhost, http://127.0.0.1, or any port on those domains)
So is there seriously no way for a Google Chrome extension to authenticate with a Google auth provider through Google's Firebase? The only workaround I can think of is to create some hosted site that does the authentication, have the Chrome extension inject a content script, and have the hosted site pass the auth details back to the Chrome extension through an event or something. Seems like a huge hack though and possibly subject to security flaws. Anyone else have ideas??
Although it was mentioned in the comments that this works with the Google auth provider using chrome.identity sadly there was no code example so I had to figure out myself how to do it.
Here is how I did it following this tutorial:
(It also mentions a solution for non-Google auth providers that I didn't try)
Identity Permission
First you need permission to use the chrome identity API. You get it by adding this to your manifest.json:
{
...
"permissions": [
"identity"
],
...
}
Consistent Application ID
You need your application ID consistent during development to use the OAuth process. To accomplish that, you need to copy the key in an installed version of your manifest.json.
To get a suitable key value, first install your extension from a .crx file (you may need to upload your extension or package it manually). Then, in your user data directory (on macOS it is ~/Library/Application\ Support/Google/Chrome), look in the file Default/Extensions/EXTENSION_ID/EXTENSION_VERSION/manifest.json. You will see the key value filled in there.
{
...
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgFbIrnF3oWbqomZh8CHzkTE9MxD/4tVmCTJ3JYSzYhtVnX7tVAbXZRRPuYLavIFaS15tojlRNRhfOdvyTXew+RaSJjOIzdo30byBU3C4mJAtRtSjb+U9fAsJxStVpXvdQrYNNFCCx/85T6oJX3qDsYexFCs/9doGqzhCc5RvN+W4jbQlfz7n+TiT8TtPBKrQWGLYjbEdNpPnvnorJBMys/yob82cglpqbWI36sTSGwQxjgQbp3b4mnQ2R0gzOcY41cMOw8JqSl6aXdYfHBTLxCy+gz9RCQYNUhDewxE1DeoEgAh21956oKJ8Sn7FacyMyNcnWvNhlMzPtr/0RUK7nQIDAQAB",
...
}
Copy this line to your source manifest.json.
Register your Extension with Google Cloud APIs
You need to register your app in the Google APIs Console to get the client ID:
Search for the API you what to use and make sure it is activated in your project. In my case Cloud Firestore API.
Go to the API Access navigation menu item and click on the Create an OAuth 2.0 client ID... blue button.
Select Chrome Application and enter your application ID (same ID displayed in the extensions management page).
Put this client ID in your manifest.json. You only need the userinfo.email scope.
{
...
"oauth2": {
"client_id": "171239695530-3mbapmkhai2m0qjb2jgjp097c7jmmhc3.apps.googleusercontent.com",
"scopes": [
"https://www.googleapis.com/auth/userinfo.email"
]
}
...
}
Get and Use the Google Auth Token
chrome.identity.getAuthToken({ 'interactive': true }, function(token) {
// console.log("token: " + token);
let credential = firebase.auth.GoogleAuthProvider.credential(null, token);
firebase.auth().signInWithCredential(credential)
.then((result) => {
// console.log("Login successful!");
DoWhatYouWantWithTheUserObject(result.user);
})
.catch((error) => {
console.error(error);
});
});
Have fun with your Firebase Service...
I am using Auth0 NextJs SDK for authentication in my NextJS App. I am following this tutorial https://auth0.com/blog/introducing-the-auth0-next-js-sdk/. In my local machine, everything works fine.
The configuration for Auth0 in my local server:
AUTH0_SECRET=XXXXX
AUTH0_BASE_URL=http://localhost:3000
AUTH0_ISSUER_BASE_URL=https://myappfakename.us.auth0.com
AUTH0_CLIENT_ID=XXXX
AUTH0_CLIENT_SECRET=XXXX
In the Auth0 Dashboard, I added the following URLs :
Allowed Callback URLs: http://localhost:3000/api/auth/callback
Allowed Logout URLs: http://localhost:3000/
My local app works locally fine.
I uploaded the app on Vercel. And changed the
AUTH0_BASE_URL=https://mysitefakename.vercel.app/
In Auth0 Dashboard, updated the following information:
Allowed Callback URLs: https://mysitefakename.vercel.app/api/auth/callback
Allowed Logout URLs: https://mysitefakename.vercel.app
I am getting the following error:
Oops!, something went wrong
Callback URL mismatch.
The provided redirect_uri is not in the list of allowed callback URLs.
Please go to the Application Settings page and make sure you are sending a valid callback url from your application
What changes I should make it works from Vercel as well?
You can try to check if vercel isn't changing the url when redirecting to auth0. Your configurations seems good to me. The error is very explicit though. I think a good option should be to verify that the redirect (if handled by vercel) is doing with the same url as auth0 expects.
And don't forget to add the url you're currently on when performing the callback. Are you in https://mysitefakename.vercel.app/api/auth/callback when the callback is executed? (call auth0).
you have to change your base url in the env.local file
AUTH0_BASE_URL=https://mysitefakename.vercel.app/
you can also make two more env files namely env.development and env.production and set different base urls for different cases so that the correct base url is automatically loaded depending on how ur web app is running.
You need to add handleLogin under api/auth/[...auth0].js and that will solve it:
import { handleAuth, handleLogin } from '#auth0/nextjs-auth0';
export default handleAuth({
async login(request, response) {
await handleLogin(request, response, {
returnTo: '/profile',
});
},
});
Don't forget to also add allowed callback url in [Auth0 Dashboard]: https://manage.auth0.com/dashboard for your hosted app for both local and hosted instance:
http://localhost:3000/api/auth/callback, https://*.vercel.app/api/auth/callback
I got single sign in working but I don't know how to configure single sign out.
Here is what I've tried so far (without any success):
[My Service provider] -> Inbound Authentication Configuration -> [my issuer] -> Enable Single Logout is Checked (custom URL is not given)
What I try is to simply redirect the browser to the URL where login is configured with the following parameter:
https://localhost:9443/passivests?wa=wsignout1.0
So the login works perfectly with this URL: https://localhost:9443/passivests
As I understand there is nothing else I should do but WSO2IS does not remove the cookie and when I try with my other webapp it logs me in as if nothing happened.
I omitted wreply (as it is optional) so I expect that the browser is not redirected back to my application or login screen. This is the reason I try it with a different application. Also the other app is opened FIRST after logout and it still gets the claims. (I always test with a new incognito mode chrome window to avoid false negatives because of leftover cookies)
So is there anything else I should do or is it perhaps a known bug?
This is a known bug. I can't find the particular class right now but the logout function called when using WS-Fed is an auto-generated //TODO stub.
https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/identity/org.wso2.carbon.identity.sts.passive/4.2.0/src/main/java/org/wso2/carbon/identity/sts/passive/processors/SignoutRequestProcessor.java