OTP is coming as web login and not detected by the SDK

[hkchakladar]

Step 1: Are you in the right place?

Yes

Step 2: Describe your environment

• Android device: Samsung M21
• Android OS version: 10
• Google Play Services version: 20.47.14
• Firebase/Play Services SDK version: _____
• FirebaseUI version: 7.1.1 (Latest)

Step 3: Describe the problem:

Problems are regarding sign-in and while upgrading from 6.x to 7.x :

1. SMS OTP is not detected automattically.
See attached video, OTP is not detected in the latest version.

firebase-ui-auth.mp4

2. Showing internal Google project ID/Default firebase hosting site in a custom tab while signing in.
As seen in the above video, while signing in, a blank custom tab is opened with my Default hosting site i.e. < google-project-id >.firebaseapp.in which has internal Google project ID (Instead of my desired site name). Why is this page coming?

3. OTP is showing as web login to Default firebase hosting site
See thess OTP messages, now the OTP is coming as if signing in to web (That too from Default hosting site with internal Google project ID (Instead of my desired site name). Compare with old OTP.

Expected Results:

1. OTPs to be detected automatically as earlier.
2. No extra custom tabs (if it's required, then show my selected website from the Firebase hosting sites)
3. OTP messages should show my app name, instead of website. (if it's required, then show my selected website from the Firebase hosting sites)

[samtstern]

@hkchakladar thank you for the super clear bug with video! I actually think this is a Firebase Android SDK core issue and not an issue specific to FirebaseUI so I am going to transfer it there.

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[samtstern]

@malcolmdeck can you take a look at this one? Transferred from FirebaseUI

[efstathiosntonas]

I'm having the same issue, the code is not recognised by the app and later on when user tries to enter it manually it returns "sms code expired". Nothing changed on code, just updated SDK.

[xJon]

Having the same issues as described here, after updating to the latest firebase_auth. Any upcoming fix?

[malcolmdeck]

I can provide some clarity here. Versions of the firebase-auth SDK that are 20.0.0 or newer provide 2 means of application verification: SafetyNet and reCAPTCHA.

If phone auth app verification happens via SafetyNet, the text message uses the App name, since SafetyNet can attest primitives about the application that we can use to determine the application name successfully.

If phone auth app verification happens via reCAPTCHA, the text message uses the domain name that the reCAPTCHA verified. As presently implemented, this does not translate into an Android application name, since the primitives attested are different. We're considering ways to improve this behavior, either by translating into an application name or by using a developer-specified domain.

SMS auto retrieval is implemented via the SMS Retriever API. This requires appending 12 characters to the text message. In some cases, this will bump the message past the character limit for a single text message. In that case, we do not attach the necessary characters to trigger auto-retrieval. This shouldn't invalidate anything about the code - it still has the same lifetime that it had before, it just may not auto-retrieve.

Hopefully that clears some things up. If you have specific bug reports (such as reliably being able to trigger "SMS code expired"),feature requests (such as needing to be able to specify the domain or have reCAPTCHA still use APP_NAME), or other questions that aren't covered by this explanation, we'd be happy to take those reports. :)

[xJon]

@malcolmdeck Thank you for the detailed reply. Regarding SMS auto retrieval, what would explain it not working with new versions of firebase-auth? In @hkchakladar's original post, you can see that the new SMS structure with the project ID is actually shorter than previously, yet auto-retrieval does not work - that cannot really be explained with character limits.