Description
Operating System
Windows 11, macOS 15.4
Environment (if applicable)
Chrome 135, Node 22.14.0
Firebase SDK Version
11.1.0
Firebase SDK Product(s)
Auth
Project Tooling
React Chrome extension with Plasmo
Detailed Problem Description
In Chrome extensions, you can have many contexts which don't share user login functionality. For "true" sign in, this can be circumvented by controlling the login flow, like
// shared storage between all clients
const authStorage = new Storage()
const USER_TOKEN_KEY = "user_token"
authStorage.watch({
[USER_TOKEN_KEY]: ({ newValue, oldValue }) => {
if (newValue !== oldValue) {
const credential = GoogleAuthProvider.credential(null, newValue as string)
void signInWithCredential(auth, credential)
}
}
})
function signIn() {
const responseUrl = await chrome.identity.launchWebAuthFlow({
url: getAuthUrl(),
interactive: true
})
const url = new URL(responseUrl)
const token = extractAccessToken(url.hash)
void authStorage.set(USER_TOKEN_KEY, token)
}
This is cumbersome, but, it works for Google sign ins, which is all we've used until now. The token that's synced between contexts, through chrome's shared storage, allows all clients to start a login, and if successful, pushes it to the rest.
The problem now is, we want to add functionality to sign users in as anonymous with signInAnonymously, and while that runs successfully in the context it's started, the accessToken, or idToken returned in the UserCredential response cannot be used to login elsewhere.
Any effort by other contexts to sign in like above results in errors of
FirebaseError: Firebase: Unsuccessful check authorization response from Google: {
"error_description": "Invalid Value"
}
(auth/invalid-credential).
at _errorWithCustomMessage (assert.ts:101:14)
at _performFetchWithErrorHandling (index.ts:223:21)
at async _performSignInRequest (index.ts:251:7)
at async _signInWithCredential (credential.ts:49:9)
I thought about writing this about just signInAnonymously but, realistically, that's just a new issue we're facing here. To properly be able to solve this, I consider this a bug affecting all the sign in methods.
This issue is specifically a bug for the chrome environment, but could hit other environments too.
Steps and code to reproduce issue
Login in the popup context of a chrome extension and try to login with that same user in the injected content context, there isn't any way to do with the api. (and no way to do it at all with login as anonymous)