[Firebase: Error (auth/operation-not-allowed)] - A user (email) logged using signInWithEmailAndPassword, won't work with signInWithRedirect

[vsspt]

Describe your environment

• Operating System version: windows 10
• Browser version: Chrome 100.0.4896.127
• Firebase SDK version: 9.6.11
• Firebase Product: auth

Describe the problem

I have the following Use Case:

A Web application uses Azure AD (mydomain.com) to authenticate users.

In order to configure the Azure AD settings in the Web application, a temporary user is created in Goggle Identity Platform, so the User can login into the Web application, using Firebase SDK Auth signInWithEmailAndPassword function:

The user is able to Log in.

Once the Azure AD Settings are configured, the APP:

1. DELETES the temporary user from Google Identity,
2. Creates an OIDC Provider on Google Identity (see image as an example of the OIDC Provider settings that the app would create):

The above provider is used to log in users from Azure AD (mydomain), using the signInWithRedirect function, as per the documentation: https://firebase.google.com/docs/auth/web/microsoft-oauth

import { getAuth, signInWithRedirect, getRedirectResult } from "firebase/auth";

const auth = getAuth();

const provider = new OAuthProvider("MyDomainTenantID");
provider.setCustomParameters({
	login_hint: user,
});
signInWithRedirect(auth, provider);

getRedirectResult(auth)
.then((result) => {
    // User is signed in.
});

After configuring the Azure AD OIDC provider, all the Azure AD users (mydomain.com) are now able to log in into the Web application, EXCEPT the user that was used as the temporary user.

In the above example, myuser@mydomain.com, is not able to Log In into the Web application through the same Azure AD OIDC provider.

Please note, that the user no longer exists on Google Identity, as it was removed, so it can be logged in through the Azure AD OIDC provider, and recreated by the JIT process on a successful login.

Analyzing the Console, the call to https://www.googleapis.com/identitytoolkit/v3/relyingparty/createAuthUri fails with a 400 Error: Firebase: Error (auth/operation-not-allowed)

The POST Request body:

{
   "providerId": "MyDomainTenantID",
   "continueUri": "https://xxx.firebaseapp.com/__/auth/handler",
   "customParameter": {
      "login_hint": "myuser@mydomain.com"
   },
   "tenantId": "GoogleIdentityTenantId"
}

As mentioned, ALL users from the same Azure AD are able to login, EXCEPT the one that was initially used as an Email/Password user.

According to Firebase documentation, the auth/operation-not-allowed error occurs when:

The provided sign-in provider is disabled for your Firebase project. Enable it from the Sign-in Method section of the Firebase console.

BUT, this is not the case, as:

• The OIDC provider connected to Azure AD is enabled
• All the users from the Azure AD Domain (except myuser@mydomain.com), can successfully login.

Steps to reproduce:

1. On Google Identity, create a User with an email from an Azure AD Domain
2. Use signInWithEmailAndPassword to login the user,
3. DELETE the user from Google Identity,
4. Create an OIDC Provider, connecting to Azure AD Domain,
5. Use signInWithRedirect to login the user on Azure AD,
6. The login process fails, on the call to https://www.googleapis.com/identitytoolkit/v3/relyingparty/createAuthUri, with a 400 Error: Firebase: Error (auth/operation-not-allowed),
7. All other Azure AD users will be able to login,
8. All the other users are created in Google Identity.

[sam-gc]

Hi @vsspt, I suspect that this is due to a configuration issue for your particular project. Would you please reach out to Cloud Support about this issue?