Firebase Authentication unable to enable Google auth method - "Error updating Google" - firebase

I am trying to enable the Firebase authentication with the Google Auth sign-in method, but enabling it and clicking "save" shows the error "Error updating Google".
In the Google Cloud Console activity logs, it shows:
Failed:google.internal.firebase.v1.FirebaseInternalProductService.EnableGoogleSignIn
With the error message "Not found (HTTP 404): Operation failed with error code NOT_FOUND."
However, when I tried this in a new Google Cloud project, it worked perfectly. I have tried removing and recreating the Firebase Admin SDK, removing and creating a new app, and removing the OAuth credentials.
I cannot seem to find any solution to this problem other than creating a new project, but I would prefer to keep my existing project ID.
Alternatively, if there is any way to reset my GCP project or remake it with the same ID, that would also be fine.

This issue is caused by deleting the OAuth client autogenerated by Firebase by default.
To solve it, you need to first create a new OAuth 2 client ID, and set the necessary redirect URIs for your Firebase app (they should default to something like https://{PROJECT_ID}.web.app/__/auth/handler).
Then, call this API - the request should look something like this, using the client ID and client secret from the credentials generated above:
PATCH https://identitytoolkit.googleapis.com/admin/v2/projects/{PROJECT_ID}/defaultSupportedIdpConfigs/google.com
{
"name": "projects/{PROJECT_ID}/defaultSupportedIdpConfigs/google.com",
"enabled": true,
"clientId": "{YOUR_CLIENT_ID}",
"clientSecret": "{YOUR_CLIENT_SECRET}"
}
After making this API call, the Google authentication provider should be enabled.

Before to begin, you must have created a new oaut-credentian gcp console, because is tha main problem here.
You nee create a new oauth provider, you can use the next link to authenticate a try the request using data like next:
Parent: projects/**put here your project number**
idpId (identity provider): google.com
Request Body
{
"name": "projects/**put here your project number**/defaultSupportedIdpConfigs/google.com",
"enabled": true,
"clientId": "**put here your client id**",
"clientSecret": "**put here your client secret**"
}

Related

Firebase 3rd-party AuthProvider (Google/Facebook/etc) login with chrome extension manifest v3

Manifest version 3 for Chrome extensions have been killing me lately. Been able to navigate around it so far, but this one has really stumped me. I'm trying to use Firebase authentication for a Chrome extension, specifically with 3rd party auth providers such as Google and Facebook. I've setup the Firebase configuration for Login with Google and created a login section in the options page of the Chrome extension and setup the Firebase SDK.
Now, there are two login options when using an auth provider, signInWithRedirect and signInWithPopup. I've tried both of these and both have failed for different reasons. signInWithRedirect seems like a complete dead end as it redirects to the auth provider, and when it attempts to redirect back to the chrome-extension://.../options.html page, it just redirects to "about:blank#blocked" instead.
When attempting to use signInWithPopup, I instead get
Refused to load the script 'https://apis.google.com/js/api.js?onload=__iframefcb776751' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
In v2, you could simply add https://apis.google.com to the content_security_policy in the manifest. But in v3, the docs say
"In addition, MV3 disallows certain CSP modifications for extension_pages that were permitted in MV2. The script-src, object-src, and worker-src directives may only have the following values:"
self
none
Any localhost source, (http://localhost, http://127.0.0.1, or any port on those domains)
So is there seriously no way for a Google Chrome extension to authenticate with a Google auth provider through Google's Firebase? The only workaround I can think of is to create some hosted site that does the authentication, have the Chrome extension inject a content script, and have the hosted site pass the auth details back to the Chrome extension through an event or something. Seems like a huge hack though and possibly subject to security flaws. Anyone else have ideas??
Although it was mentioned in the comments that this works with the Google auth provider using chrome.identity sadly there was no code example so I had to figure out myself how to do it.
Here is how I did it following this tutorial:
(It also mentions a solution for non-Google auth providers that I didn't try)
Identity Permission
First you need permission to use the chrome identity API. You get it by adding this to your manifest.json:
{
...
"permissions": [
"identity"
],
...
}
Consistent Application ID
You need your application ID consistent during development to use the OAuth process. To accomplish that, you need to copy the key in an installed version of your manifest.json.
To get a suitable key value, first install your extension from a .crx file (you may need to upload your extension or package it manually). Then, in your user data directory (on macOS it is ~/Library/Application\ Support/Google/Chrome), look in the file Default/Extensions/EXTENSION_ID/EXTENSION_VERSION/manifest.json. You will see the key value filled in there.
{
...
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgFbIrnF3oWbqomZh8CHzkTE9MxD/4tVmCTJ3JYSzYhtVnX7tVAbXZRRPuYLavIFaS15tojlRNRhfOdvyTXew+RaSJjOIzdo30byBU3C4mJAtRtSjb+U9fAsJxStVpXvdQrYNNFCCx/85T6oJX3qDsYexFCs/9doGqzhCc5RvN+W4jbQlfz7n+TiT8TtPBKrQWGLYjbEdNpPnvnorJBMys/yob82cglpqbWI36sTSGwQxjgQbp3b4mnQ2R0gzOcY41cMOw8JqSl6aXdYfHBTLxCy+gz9RCQYNUhDewxE1DeoEgAh21956oKJ8Sn7FacyMyNcnWvNhlMzPtr/0RUK7nQIDAQAB",
...
}
Copy this line to your source manifest.json.
Register your Extension with Google Cloud APIs
You need to register your app in the Google APIs Console to get the client ID:
Search for the API you what to use and make sure it is activated in your project. In my case Cloud Firestore API.
Go to the API Access navigation menu item and click on the Create an OAuth 2.0 client ID... blue button.
Select Chrome Application and enter your application ID (same ID displayed in the extensions management page).
Put this client ID in your manifest.json. You only need the userinfo.email scope.
{
...
"oauth2": {
"client_id": "171239695530-3mbapmkhai2m0qjb2jgjp097c7jmmhc3.apps.googleusercontent.com",
"scopes": [
"https://www.googleapis.com/auth/userinfo.email"
]
}
...
}
Get and Use the Google Auth Token
chrome.identity.getAuthToken({ 'interactive': true }, function(token) {
// console.log("token: " + token);
let credential = firebase.auth.GoogleAuthProvider.credential(null, token);
firebase.auth().signInWithCredential(credential)
.then((result) => {
// console.log("Login successful!");
DoWhatYouWantWithTheUserObject(result.user);
})
.catch((error) => {
console.error(error);
});
});
Have fun with your Firebase Service...

How can I authenticate via Firebase Google Auth on localhost

I'm building a site with emberfire and using firebase. Everything seems to be set up fine regarding credentials, and I can read/write to the firebase database while developing locally, but every time I try to authenticate via the Google Popup it pops up fine with my Google accounts listed, and when I select my account it errors with this error object:
code: "auth/network-request-failed", message: "A network error (such as timeout, interrupted connection or unreachable host) has occurred."
I assume I'm simply missing a setting somewhere but for the life of me I cannot find it. Here's the code to get the popup and response:
const provider = new firebase.auth.GoogleAuthProvider();
this.firebaseApp.auth().then(auth => {
/* Firebase SDK calls */
auth.signInWithPopup(provider).then(function(response) {
console.log(response);
}).catch(function(error) {
console.log(error);
});
});
I am using EmberJS with emberfire.
In my environment I had host: 'api', and when removing that authentication works, so it must be one of the adapters that is used.

Firebase Error: Auth error from APNS or Web Push Service

After running the following line in node-js:
import * as admin from "firebase-admin";
import * as serviceAccount from "../../firebase_service_account_key.json";
const app = admin.initializeApp({
credential: admin.credential.cert(serviceAccount as any),
databaseURL: "https://my-app-path.firebaseio.com"
});
admin.messaging().send({
token: "known-good-token",
notification: {
title: "Test Push Note",
body: "Here is some text"
}
});
I'm getting the error:
Error: Auth error from APNS or Web Push Service
Raw server response:
"{
"error":{
"code":401,
"message":"Auth error from APNS or Web Push Service",
"status":"UNAUTHENTICATED",
"details"[
{
"#type":"type.googleapis.com/google.firebase.fcm.v1.FcmError",
"errorCode":"THIRD_PARTY_AUTH_ERROR"
},
{
"#type":"type.googleapis.com/google.firebase.fcm.v1.ApnsError",
"statusCode":403,
"reason":"InvalidProviderToken"
}
]
}
}"
I've added an "APNs Authentication Key" to my ios project under the Settings > Cloud Messaging section of Firebase. I've also properly downloaded and imported my service account json file.
In terms of research, I've tried looking up the errors.
For the InvalidProviderToken error, this answer seems to indicate I'm using an old token. This is totally possible, but the logs on my app and database appear to match, so it seems off.
As for the THIRD_PARTY_AUTH_ERROR, google gave me no hits. The closest thing I found was this, and the following text might be the culprit (EDIT: it's not the issue):
auth/unauthorized-domain
Thrown if the app domain is not authorized for OAuth operations for your Firebase project. Edit the list of authorized domains from the Firebase console.
Does anyone have anymore details on this error which might help me get to the bottom of it?
This error arises if your app setup for iOS has an error in any one of the following:
Found in Settings > General > Your Apps > iOS Apps:
App Store ID
Bundle ID
Team ID
When adding an APNs key (Uploading to Cloud Messaging > APNs Authentication Key):
Team ID (should auto set based off ios app info above)
Key Id (often is in the name of the key, best to grab when creating it)
Everything worked for me the other day, so all setup was fine. But today I got this error.
Here's what solved it for me:
Revoked APNs Key
Created new one and downloaded it
Deleted old one and Uploaded it to Firebase Dashboard / Settings /
Cloud Messaging
Gone to Settings / Service Accounts and generated new private key
Added it to my Cloud Functions project (renamed it to
service-account.json in my case)
Saved the files and deployed the functions: firebase deploy --only
functions
Did you call admin.initializeApp()?
There are many official samples.
See:
https://github.com/firebase/functions-samples/blob/master/fcm-notifications/functions/index.js#L20
https://github.com/firebase/functions-samples/tree/master/fcm-notifications
https://github.com/firebase/functions-samples
https://github.com/firebase/quickstart-js/tree/master/messaging
I had the same issue. The culprit was lowercase APNs teamId. Changing it to capital solved it.
Double check if you have uploaded your apns key on firebase console. That was my case.

Migration to Version 2.0 of LinkedIn API

Recently I created an application for the LinkedIn API (Status is Development).
I managed to do requests to the old v1 version of the API, for example 'https://api.linkedin.com/v1/people/~' and '/v1/people/~/shares'. But when I try to use the new version, v2, of the API I encounter some problems.
Problem 1: When I try to request 'https://api.linkedin.com/v2/me' I get the following error:
{
"serviceErrorCode": 100,
"message": "Not enough permissions to access: GET /me",
"status": 403
}
From what I understand to fix this problem I should use the 'r_liteprofile' scope when requesting a access token. But this leads to my next problem.
Problem 2: When I request the oauth endpoint (https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id={id}&redirect_uri={redirect_uri}&state={state}&scope=r_liteprofile) I get the following error:
error=unauthorized_scope_error&error_description=Scope "r_liteprofile" is not authorized for your application
So I figured I need to select these scopes in the Application settings. But that leads to my third and final problem.
Problem 3: I am unable to select the required application permissions at 'https://www.linkedin.com/developer' for my application.
My Default Application Permissions
How do I manage to use the new (v2) API version?
Thanks!
For moving first you check :
you have to check Linkedin - Myapp - Default Application Permissions
You have r_liteprofile permission or not ( for calling this 'https://api.linkedin.com/v2/me)
in V2 you can use : r_liteprofile for firstName,lastName,profilePicture,id r_emailaddress for getting emailAddress
Check this : https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/migration-faq?context=linkedin/consumer/context

google cloud vision api quickstart error opening file

I am following the following Google Cloud Vision quickstart:
https://cloud.google.com/vision/docs/quickstart
This is using the API Explorer, and I get
Error Opening File
I have created a bucket named vision2018, and checked Share Publicly for the file.
My portion of the request related to the file is:
"image":
{
"source":
{
"imageUri":"gs://vision2018/demo-image.jpg"
}
}
The response I get is:
{
"responses": [
{
"error": {
"code": 5,
"message": "Error opening file: gs://vision2018/demo-image.jpg\"."
}
}
]
}
}
What do I need to specify in order to access files in my GCP storage?
Alternatively, I read other Stack Overflows that talk about GOOGLE_APPLICATION_CREDENTIALS, Simple API Key, and "Create Service account key and download the key in JSON format", ... but these seem to be giving commands in the shell, which this quickstart doesn't even open.
Is there initial setup assumed prior to the quickstart?
I am not ready to call the api from code
You might want to doublecheck your request. I went to the quickstart, replaced the placeholder imageUri with gs://vision2018/demo-image.jpg and it worked just fine. The error message you posted is what would be displayed if you had given gs://vision2018/demo-image.jpg\" instead.
Regarding the second part of your question: these are authentication methods. In this particular case, under Authentication you will find a drop down which lets you chose between API key and Google OAuth 2.0. If you chose the former, you don't need to do anything as a demo key will be used just for the purposes of the quickstart. If you chose OAuth 2.0, a popup will appear prompting you to authenticate with a google account. All in all, what you need to do is follow step-by-step the instructions given by the quickstart.
I was receiving a similar JSON response from the Google Vision API:
"error": {
"code": 7,
"message": "Error opening file: gs://bucket/file.jpg."
}
The fix was to set the GCS file's permission to public-read:
gsutil acl set public-read gs://bucket/file.jpg
Finally I investigated what happened. The problem is that your API token is only grant for process the image (allow right to use OCR engine), but that API is not also for accessing object in GS.
Therefore "message": "Error opening file:
The problem is similar with this post:Authorize Google Cloud Vision API to Google Storage image Maybe the error message is a bit dumb than many years ago.
The solution also mentioned in the answer section, but if you want some thing more clear (expose security side-effect) here it is: Set GCS read-only public
Reason I want to keep using API because it's better for use it in mobile application, we cannot give the OAuth2.0 to any phone. However, still find a way to secure the read-public bucket.

Resources