skip to Main Content

Twitter login isn’t working anymore on my android project and I have figured out that it’s because I have restricted my API keys in Google cloud. By default, twitter login makes use of an https request https://<project_name>.firebaseapp.com/__/auth/handler....apiKey=...&providerId=twitter.com&sessionId etc where apiKey is the API key in my google-services.json. Given that I have restricted the API Key to my Android app package name, https requests for twitter login return an error. If I manually edit the url and put the Browser API key, it works fine but this is obviously not a practical solution for production.

Is there a way to tell AuthUI.IdpConfig.TwitterBuilder() to use a specific API Key so that I can pass the default Browser API key.

I have tried to manually edit google-services.json to add the Browser API Key and this fixes the Twitter Log in issue and breaks other calls to the server.

2

Answers


  1. Chosen as BEST ANSWER

    I got in touch with Firebase support and this is expected behaviour if you restrict your API. In short, the API restriction for Android application is searching for package name and SHA-1 headers, the Twitter sign-in flow is based on a browser, so the headers are not sent, also there is no way to pass the headers through the browser.

    The best approach would be using API restrictions (which APIs can my API be used for) rather than platform restrictions (which platforms can use this API key).


  2. One work around is to have an extra key that your end users can have who you trust and check this via query params.
    Const BrowserAPIKey = ‘realKeyhere’;

    1. Create a unique key and save it as a constant in the function you call Twitter login.
    2. Under the key variable call any URL and append a query param like so e.g. firebaseauth.com/twitter?key=123 and then pluck out the key by calling req.body.key so if you requested the API with a param called key. I.e. save this in another const e.g. const enteredKey = req.body.key. We expect 123 to be the resolved key if things are to work
    3. Check if trusted clients got key right and release Browser API Key based on result:
      If enteredKey = 123
      // Call Twitter login api with real browser key
      https://<project_name&gt;.firebaseapp.com/__/auth/handler….apiKey=BrowserAPIKey…&providerId=twitter.com&sessionId

    Assumptions:

    1. This API accepts the browser key via a param called browserkey and spelt exactly that way
    2. The BrowserAPIKey when in step 3 above contains the actual key that clients need to login with
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search