Firebase Auth returns v1 token instead of v2 when using OAuth 2.0, and adding custom scopes causes authentication failure

[vanhcoder]

Is there an existing issue for this?

• I have searched the existing issues.

Which plugins are affected?

No response

Which platforms are affected?

No response

Description

Firebase Authentication currently supports signing in using OAuth 2.0 (Microsoft OAuth, Google, etc.). However, when using Microsoft OAuth 2.0 to sign in via Firebase with signInWithProvider(), the access token returned is v1, even though my backend system requires v2 for authentication.

Additionally, when adding a custom scope (api:///MyCustomScope.Read), the authentication fails with the following error:

[firebase_auth/invalid-credential] {"error": {"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience."}}

Expected Behavior:

Firebase should return a v2 token when authenticating using OAuth 2.0 since Microsoft has switched to the OAuth 2.0 endpoint (/v2.0/authorize and /v2.0/token).
Adding a custom scope (api:///MyCustomScope.Read) should not cause authentication failure and should be correctly included in the token.
Setting the authority parameter to explicitly use /v2.0/authorize should ensure the correct token version.

Actual Behavior:
Firebase returns a v1 token, which causes authentication failure with my backend since it requires a v2 token.
When retrieving a token directly from Postman or Azure OAuth, the token returned is v2, but Firebase still provides v1.
Adding the custom scope (api:///MyCustomScope.Read) results in an InvalidAuthenticationToken error, meaning the audience validation fails.

Error Message:
[firebase_auth/invalid-credential] {"error": {"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience."}}

Possible Fix:
Firebase should update its OAuth 2.0 integration to support v2 tokens from Microsoft.
Allow developers to specify whether they want a v1 or v2 token when authenticating.
Investigate why custom scopes cause an InvalidAuthenticationToken error and provide a fix or guidance on properly adding API scopes.
Ensure that the authority parameter is correctly handled when set in setCustomParameters().

Environment:
Firebase Auth SDK Version: latest
Flutter Version: [your flutter version]
Platform: iOS / Android
OAuth Provider: Microsoft

Reproducing the issue

1. Configure Microsoft OAuth Provider in Firebase Authentication.
2. Perform sign-in with Microsoft in Flutter using signInWithProvider():

` final microsoftProvider = OAuthProvider("microsoft.com");
microsoftProvider.addScope("email");
microsoftProvider.addScope("profile");
microsoftProvider.addScope("openid");
microsoftProvider.addScope("api:///MyCustomScope.Read"); // Adding this scope causes failure
microsoftProvider.setCustomParameters({
'tenant': '',
'authority': 'https://login.microsoftonline.com//oauth2/v2.0/authorize',
});

UserCredential userCredential = await FirebaseAuth.instance.signInWithProvider(microsoftProvider);
print(userCredential.credential?.accessToken); `

3. Decode the token using jwt.ms or any JWT decoder, and the token is v1.
4. But I tried generating a token on Postman using the OAuth 2.0 flow, and the token returned was v2

Firebase Core version

2.27.0

Flutter Version

3.19.0

[SelaseKay]

Hi @vanhcoder, kindly update your firebase_auth version to the latest and try again. Also, what platform are you experiencing this on?

[vanhcoder]

@SelaseKay I'm using firebase_auth version 5.4.2 on both iOS and Android.

[MichaelVerdon]

Hi there @vanhcoder , there appears to be a newer release of the auth package version 5.5.1, please try this and tell me how it goes.