fix(auth, android): handle null id-tokens from google credential manager#9082
Conversation
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses an issue where Google sign-in flows using Android Credential Manager (which provide an ID token without an access token) were failing on the native Android bridge. By ensuring that empty access tokens are explicitly converted to null before being passed to the Firebase Android SDK, the change aligns the implementation with the expected API behavior for id-token-only authentication. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request introduces support for Google ID-token-only credentials by mapping empty access tokens to null on Android, preventing the native Firebase SDK from rejecting them, and adds corresponding unit and E2E tests. However, the current implementation breaks the access-token-only flow because an empty ID token (authToken) is still passed as an empty string instead of null. To resolve this, both empty ID tokens and empty access tokens should be mapped to null before calling the native SDK.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
40ac29a to
0adf550
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #9082 +/- ##
==========================================
+ Coverage 58.72% 58.77% +0.05%
==========================================
Files 333 333
Lines 24985 24985
Branches 4149 4149
==========================================
+ Hits 14671 14682 +11
+ Misses 9577 9568 -9
+ Partials 737 735 -2
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
|
tiny fix, I've looked at it pretty deeply and it's been through 2 adversarial reviews at this point - going to merge |
Description
GoogleAuthProvider.credential(idToken, null)(id-token-only flows from Android Credential Manager) failed at the native bridge withaccessToken cannot be empty. The JS layer maps a missing access token to an empty string (secret: ''), and the Android module passed that through toGoogleAuthProvider.getCredential(idToken, ""). Firebase Android rejects an empty access token but acceptsnullfor id-token-only sign-in.This change maps null/empty Google access tokens to
nullbefore calling the Firebase Android SDK, matching the documented API for Credential Manager flows.Reference: GoogleAuthProvider.getCredential — both parameters are
@Nullable; Authenticate with Google on Android showsGoogleAuthProvider.getCredential(idToken, null)for id-token-only sign-in.Related issues
Release Summary
Fix Android Google sign-in when using id-token-only credentials from Credential Manager (no access token).
Checklist
AndroidiOSOther(macOS, web)e2etests added or updated inpackages/**/e2ejesttests added or updated inpackages/**/__tests__Test Plan
yarn tests:jest --watchman=false packages/auth/__tests__/— 104 tests passyarn lint:js— passsignInWithCredentialfor id-token-only Google credentials (noaccessToken cannot be empty)