Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Reminder] Changes to Firebase Auth’s SignInWithRedirect flows #297

Open
MurakamiShinyu opened this issue Feb 21, 2024 · 0 comments
Open

[Reminder] Changes to Firebase Auth’s SignInWithRedirect flows #297

MurakamiShinyu opened this issue Feb 21, 2024 · 0 comments

Comments

@MurakamiShinyu
Copy link
Member

I got this reminder email from Firebase:

Subject: [Reminder] Changes to Firebase Auth’s SignInWithRedirect flows

Starting June 18, 2024, the end users of applications using Firebase Auth may not be able to authenticate if you're using the **signInWithRedirect** method and your users are using one of the following browsers:

  • Safari 16.1+ on macOS
  • iOS 16.1+
  • Firefox 109+
  • Chrome M115+

What do you need to know?

Starting June 18, 2024, implementing one of the options listed in the linked best practices below will be required for redirect sign-in to work on Google Chrome M115+. This is already required on Firefox 109+ and Safari 16.1+.

Based on our records, you have an app that uses signInWithRedirect in the Web SDK API, meaning your users who use the platforms listed above are impacted.

What do you need to do?

While we cannot control the version/settings of the browser sending the login request, we want to offer mitigations for authentication in your app to continue working for all users. Follow the best practices guide to make sure users can use your app when additional browser platform updates are released.

To ensure continued functionality and security, you will need to review and update your authorized domains configuration for the project that hosts your redirect domainin the Firebase Console. 3rd party IDP login requests that are sent with an unauthorized continueUri will be blocked due to security risk.

Additionally, if you self-host the sign-in helper code, you must download and sync the most recent host files and serve your own Firebase configuration file /__/firebase/init.json to ensure that the user is only redirected to an allowlisted domain for your app. We also recommend that you validate that your app is using the correct API keys. See the best practices guide for more information.

No action is required if you use Firebase Hosting to host the web widgets.

Your impacted projects are below:

Thanks for choosing Firebase Auth.

--- The Firebase Auth Team
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MurakamiShinyu