FirebaseAuth - Requests from this Android client application <empty> are blocked

[rmatihara]

Describe your environment

• Firebase component and version: firebase-auth: 19.3.1, firebase-core: 17.4.1

Describe the problem

We have developed Sign in with Apple on Android and confirmed that it is working properly.

But, when we have restricted the API key to Android with fingerprint and package name in the Google Cloud Console, it does not work with the following error:

{"error":{"code":403,"message":"Requests from this Android client application <empty> are blocked.","errors":[{"message":"Requests from this Android client application <empty> are blocked.","domain":"global","reason":"forbidden"}],"status":"PERMISSION_DENIED"}}

An internal error has occurred. [ Requests from this Android client application <empty> are blocked. ]

When we remove the restriction on the API key on Google Cloud Console, everything works properly.

We have found on the docs that all request to the API must send the following headers, should it be the problem?

Header x-android-package
Label servicecontrol.googleapis.com/android_cert_fingerprint

Header x-android-cert 
Label servicecontrol.googleapis.com/android_package_name

Steps to reproduce:

Create a demo app (https://github.com/firebase/FirebaseUI-Android), implement the Sign in with Apple and restrict the API Key with fingerprint and package name on Google Play Console.
Then, try to login with Apple.

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[malcolmdeck]

Hey there, Malcolm from Firebase here!

This is a known behavior, and is due to the fact that Apple Sign-In is based on a Web flow - it kicks you to a browser to do the sign-in and then takes you back. As a result, your API key is used in a web context, so restricting your API key to only work on Android breaks this feature.

As is presently stands, API key restrictions provide minimal benefit for Android - all it does is make it so that certain headers must show up on the request in order to be accepted. We're working on better ways to solve this issue right now, but I would suggest foregoing API key restrictions for now (since it does very little) if you need to use Apple Sign-In.

Thanks,
~Malcolm

[anurag-176]

Hey there, Malcolm from Firebase here!

This is a known behavior, and is due to the fact that Apple Sign-In is based on a Web flow - it kicks you to a browser to do the sign-in and then takes you back. As a result, your API key is used in a web context, so restricting your API key to only work on Android breaks this feature.

As is presently stands, API key restrictions provide minimal benefit for Android - all it does is make it so that certain headers must show up on the request in order to be accepted. We're working on better ways to solve this issue right now, but I would suggest foregoing API key restrictions for now (since it does very little) if you need to use Apple Sign-In.

Thanks,
~Malcolm

Thanks!