So I've followed the guide here https://firebase.google.com/docs/auth/android/email-link-auth and am able to make an email get sent out successfully.
If I click that link on my desktop, it tries to take me to a website with the following image
Should I be writing my own server based app to authenticate this? I assumed Firebase would handle that for me. The guide doesn't mention anything about what happens at all.
It does talk about this
// URL you want to redirect back to. The domain (www.example.com) for this
// URL must be whitelisted in the Firebase Console.
.setUrl("https://www.example.com/finishSignUp?cartId=1234")
I changed it to use the domain of my firebase app/project e.g. myapp-123456.firebaseapp.com, assuming that Firebase would have something to handle this.
Am I missing a large section of documentation?
Related
I have read the functions docs and the authentication codes on the firebase website, but I have no clue if it will be secure or not. I've read the whole of this doc: https://firebase.google.com/docs/auth/custom-email-handler
They seem to do all the verification on the website but I can't find the verifyPasswordResetCode(actionCode) function in the node.js doc so what way would you go around this?
Basically, if the user forgets their password/needs to verify their email I want the user to go to my website (I've already configured the custom action URL that is sent when the user requests to reset their email to go to 'mywebsite.com/auth/action/.../'. I know that the my front end (IOS App) needs to verify the code and then In my functions (that's hosted on my website) I need to reset their password, but how would I securely transfer information from the email to my app, to my website with the function to reset their password with the action code. Or can I do it all on my website instead of where they input their new password on the website? I'm guessing using dynamic links?
Thanks,
Nathan
Can't login using Google Auth,
Error 403: org_internal
This client is restricted to users within its organization.
Go to cloud console (https://console.cloud.google.com/apis/)
APIs and services
Credentials
Oath consent screen
Ensure Application type is set to "public" and not internal.
Obviously assuming that you are creating an app that should be accessible outside your org. If this is related to testing and phones, it is possible to create testusers that are excepted from company policy rules.
The reason for this error is indeed because the Application type is set to "internal".
But setting it to public is not always the right answer...
Add "&prompt=select_account" to the authentication url. This will force the user to select the correct (organization-)account.
Without the parameter, Google tries to show the consent screen for the logged in Google-account, but as it is not an organization-account it will just display the 403 page without giving the user this choice.
https://developers.google.com/identity/protocols/OpenIDConnect#prompt
I had an Internal app that I was trying to authenticate with one of our YouTube channels using an organization account, and I was getting the same error:
Authorization Error
Error 403: org_internal
This client is restricted to users within its organization.
After contacting Google Workspace Support, they asked me to Change the restriction on it from Limited to Trusted.
Steps are mentioned in this support thread: https://support.google.com/a/answer/7281227
Open the Google Admin Console.
From the sidebar menu, choose: Security → API Controls.
Click on MANAGE THIRD-PARTY APP ACCESS button.
Hover the cursor over the required app and click on Change access.
Choose the option: Trusted: Can access all Google services
And save the CHANGE.
Once you've done, take note that there will be 24 hours of propagation on it before it gradually takes effect.
Make sure, for the browser you are using, that you have logged out of "All" Google account(s). This should force the "select account" windows to display.
We have almost exactly the same problem while trying to configure WP Mail SMTP for Wordpress.
The OAuth Client's Application Type has to be "Internal" so changing it to "External" was not an option for us.
Hope this helps.
I had the same issue and in my case was because the project didn't had a support email address set it.
I fix it by adding one on the Firebase Console > Project Settings > General under the Public settings section.
This error is most likely due to the configuration of your application in Google Cloud Platform.
Setting your application to "internal" is causing this error. Try making your app "external" in the OAuth consent screen, but make sure it is in a "testing" status. Then, add yourself to the test users. This configuration will work well for an internal, lightweight application.
Once complete, try to authenticate with the channel again.
I had the same issue with a project. The error only appeared if I tried to log in to my app while already logged in with an account outside the organization (worked just fine while logged out of all accounts, or while logged in with an internal organization account). I had to change the OAuth Client's Application Type from Internal to Public in the Google Dev Console.
More info can be found at https://support.google.com/cloud/answer/6158849?hl=en
Maybe you have another google email to login, not the correct one.
in console firebase, in the menu Authentification -> Templates
There is a sms verification template :
%LOGIN_CODE% is your verification code.
How to change this message template?
firebaser here
Neither the email verification template nor the SMS verification template can be modified. You can select the language from the Firebase console, however this is a per project setting and you can't modify the templates.
We understand that changing the template would allow you to tweak the user-experience of your app, but we don't allow this to prevent abuse of the service.
Update 1 year later, still a no go, but I received this back from support
The Firebase SMS Authentication message content will depend on the
platform you are requesting that message from. Here is a list of the
possible variations you may get:
iOS and Android - The SMS messages draw the app's name from the App Store / Play Store. One an app is published, the correct name
should start appearing. There may be a small delay (a week or two at
most).
Web - It will always use the domain that the SMS is requested from. To modify it, you can setup a custom domain.
iOS (using Recaptcha) - Phone authentication on iOS will show the project's url instead of the app's name in the verification
SMS when using the reCAPTCHA flow. This is expected behavior. The
reCAPTCHA flow was added for cases where an APNS token is not
available (including on real devices). If APNS is not correctly
configured, a real device will default to the reCAPTCHA flow.
Unfortunately, neither the email verification template nor the SMS
verification template can be modified. You can select the language
from the Firebase Console, however this is a per project setting and
you can't modify the templates.
We understand that changing the template would allow you to tweak the
user-experience of your app, but we don't allow this to prevent abuse
of the service. I hope this clears your consults about this topic. If
you happen to have any more questions, please, do not hesitate to
write back!
Meanwhile you cannot change the content of the message, you can change the app's URL mentioned in the SMS.
Go to Authentication > Sign-in Method > Authorized domains and add your own domain website.tld
Now edit the Firebase config object (in your source code) and update the authDomain key to the domain you linked earlier.
Send a new test message, you're good to go.
As per Firebase Support the %APP_NAME% should be shown in your firebase settings wherein the %APP_NAME% is called after Public-facing name in public settings.
EDIT:
I checked first where is the location of "localhost" and wherein i found on "Authentication>Sign-in method" then under 'authorized domain' you will find "localhost" in order to change the localhost you need to add a new domain.
Note:
be careful on deleting localhost to your authorized domain. It will take time to function OTP request.
This one helps;
Go to Authentication > Sign-in Method > Authorized domains and add your own domain website.tld
Now edit the Firebase config object (in your source code) and update the authDomain key to the domain you linked earlier.
in console firebase, in the menu Authentification -> Templates
There is a sms verification template :
%LOGIN_CODE% is your verification code.
How to change this message template?
firebaser here
Neither the email verification template nor the SMS verification template can be modified. You can select the language from the Firebase console, however this is a per project setting and you can't modify the templates.
We understand that changing the template would allow you to tweak the user-experience of your app, but we don't allow this to prevent abuse of the service.
Update 1 year later, still a no go, but I received this back from support
The Firebase SMS Authentication message content will depend on the
platform you are requesting that message from. Here is a list of the
possible variations you may get:
iOS and Android - The SMS messages draw the app's name from the App Store / Play Store. One an app is published, the correct name
should start appearing. There may be a small delay (a week or two at
most).
Web - It will always use the domain that the SMS is requested from. To modify it, you can setup a custom domain.
iOS (using Recaptcha) - Phone authentication on iOS will show the project's url instead of the app's name in the verification
SMS when using the reCAPTCHA flow. This is expected behavior. The
reCAPTCHA flow was added for cases where an APNS token is not
available (including on real devices). If APNS is not correctly
configured, a real device will default to the reCAPTCHA flow.
Unfortunately, neither the email verification template nor the SMS
verification template can be modified. You can select the language
from the Firebase Console, however this is a per project setting and
you can't modify the templates.
We understand that changing the template would allow you to tweak the
user-experience of your app, but we don't allow this to prevent abuse
of the service. I hope this clears your consults about this topic. If
you happen to have any more questions, please, do not hesitate to
write back!
Meanwhile you cannot change the content of the message, you can change the app's URL mentioned in the SMS.
Go to Authentication > Sign-in Method > Authorized domains and add your own domain website.tld
Now edit the Firebase config object (in your source code) and update the authDomain key to the domain you linked earlier.
Send a new test message, you're good to go.
As per Firebase Support the %APP_NAME% should be shown in your firebase settings wherein the %APP_NAME% is called after Public-facing name in public settings.
EDIT:
I checked first where is the location of "localhost" and wherein i found on "Authentication>Sign-in method" then under 'authorized domain' you will find "localhost" in order to change the localhost you need to add a new domain.
Note:
be careful on deleting localhost to your authorized domain. It will take time to function OTP request.
This one helps;
Go to Authentication > Sign-in Method > Authorized domains and add your own domain website.tld
Now edit the Firebase config object (in your source code) and update the authDomain key to the domain you linked earlier.
I am using Firebase Auth signInWithPopup() which is absolutely great. But
when initially configured, the popup reads:
Choose an account to continue to myApp-123.firebaseapp.com
I would really like it to read:
Choose an account to continue to myApp.com
How can I make the popup show my own domain?
In my solution that follows I should say that the steps I followed worked. It is possible that I did something that it not absolutely required, but to my knowledge and at this time, I have not broken anything.
This workflow (and the documentation) is a bit broken up because you must adjust both your Google Cloud Platform (GCP) credentials and the Firebase authentication. Documentation was provided by each side of this workflow but I was not able to find a document that covered the entire workflow to make this substitution.
GCP Console Setup
I first adjusted my GCP credentials for the OAuth Client:
Go to the GCP console > APIs & Services > Credentials page (https://console.cloud.google.com/apis/credentials?project=_ and select your project)
At the bottom of the page, find "OAuth 2.0 client IDs". There should be an entry titled "Web client (auto created by Google Service)"
To the right side of page click on the edit icon (pen), which opens the configuration page.
Under "Authorized JavaScript origins", you should see your yourFirebaseApp.firebaseapp.com domain. Click "+ Add URI" and add your custom URI. This should be an "https" domain, so use https://myApp.com
Under "Authorized redirect URIs", you should see https://yourFirebaseApp.firebaseapp.com/__/auth/handler. (The __/auth/handler bit on the tail is the auth callback that Firebase provides). Click "+ Add URI" and add your domain, with __/auth/handler at the end. (For example: https://myApp.com/__/auth/handler)
Click Save
Go to the OAuth Consent Screen (https://console.cloud.google.com/apis/credentials/consent/edit?project=_). Add your custom domain to "Application Homepage link", and fill in the "Application Name" and "Logo", and "Application Privacy Policy link" with custom values for your app.
Firebase Console Setup
Then, you'll need to add your custom domain to the Firebase auth authorized domain list:
Go to the Firebase Console > Authentication > Sign-in Methods page (https://console.firebase.google.com/project/_/authentication/providers and select your project)
Under "Authorized Domains" you should see localhost and the default yourFirebaseApp.firebaseapp.com domain. Click the "Add Domain" and enter your custom domain name, then click add.
Web App Setup
You will likely remember the block of code that you copied from your firebase project and pasted into the code from which you compile and deploy your Web App. (Some people use the hosting default init.js script - if you do, go back and setup your app using the config snippet instead)
Find the "authDomain" field in the code snippet, and change it to your custom domain, then re-deploy.
This procedure worked for me and my project, I have posted this in the hopes that these instructions may be refined via feedback from others performing this or similar operations.
I asked firebase support and got the following reply. Items in italics are my additions. This is more or less the same as Done's answer but with a custom domain. You do not need to host your app on Firebase.
--
Hi Jayen,
Thank you for reaching out. I'll be happy to assist you.
In order to update firebase-project-id.firebaseapp.com in the OAuth consent screen, you need a custom domain with Firebase Hosting (Firebase Console > Hosting > Connect Domain). This is because https://firebase-project-id.firebaseapp.com/__/auth/handler is hosted by Firebase Hosting. You need to point your custom domain to firebase-project-id.firebaseapp.com.
When connecting the custom domain, if you are not hosting your app on firebase, use a new subdomain (e.g. app.yourdomain.com) and do not redirect it. Firebase will prompt you to add a DNS entry and take of the SSL certificate automatically.
After connecting your custom domain to your Firebase project, you should also follow the steps below:
Go to the Firebase Console > Select Project > Authentication > Sign-in method > Facebook > Copy the URL under 'To complete setup, add this OAuth redirect URI to your Facebook app configuration.'
It will look something like https://firebase-project-id.firebaseapp.com/__/auth/handler
Replace the project ID with your custom domain. It will look something like: https://yourdomain.com/__/auth/handler
Go to the GCP Console > Select project > API Manager > Credentials > Add the link in #2 to the 'Authorized redirect URIs'
Then ensure to use yourdomain.com as the authDomain in your app's configuration instead of firebase-project-id.firebaseapp.com
firebase.initializeApp({
apiKey: ....,
authDomain: 'yourdomain.com',
...
});
Let me know if you have any other questions regarding this.
Regards,
Aye
--
In my case, yourdomain.com is where I host my site, so I used app.yourdomain.com where I needed it.
Firebase Hosting URL
handler url: https://app.yourdomain.com/__/auth/handler
GCP Credentials
Choose the right one under OAuth 2.0 client IDs . The client ID will match the one you have configured Firebase with in your code.
authDomain: "app.yourdomain.com"