Skip to content

fix(auth, android): handle null id-tokens from google credential manager#9082

Merged
mikehardy merged 2 commits into
mainfrom
fix/issue9081
Jul 2, 2026
Merged

fix(auth, android): handle null id-tokens from google credential manager#9082
mikehardy merged 2 commits into
mainfrom
fix/issue9081

Conversation

@mikehardy

Copy link
Copy Markdown
Collaborator

Description

GoogleAuthProvider.credential(idToken, null) (id-token-only flows from Android Credential Manager) failed at the native bridge with accessToken cannot be empty. The JS layer maps a missing access token to an empty string (secret: ''), and the Android module passed that through to GoogleAuthProvider.getCredential(idToken, ""). Firebase Android rejects an empty access token but accepts null for id-token-only sign-in.

This change maps null/empty Google access tokens to null before calling the Firebase Android SDK, matching the documented API for Credential Manager flows.

Reference: GoogleAuthProvider.getCredential — both parameters are @Nullable; Authenticate with Google on Android shows GoogleAuthProvider.getCredential(idToken, null) for id-token-only sign-in.

Related issues

Release Summary

Fix Android Google sign-in when using id-token-only credentials from Credential Manager (no access token).

Checklist

  • I read the Contributor Guide and followed the process outlined there for submitting PRs.
    • Yes
  • My change supports the following platforms;
    • Android
    • iOS
    • Other (macOS, web)
  • My change includes tests;
    • e2e tests added or updated in packages/**/e2e
    • jest tests added or updated in packages/**/__tests__
  • I have updated TypeScript types that are affected by my change.
  • This is a breaking change;
    • Yes
    • No

Test Plan

  • yarn tests:jest --watchman=false packages/auth/__tests__/ — 104 tests pass
  • yarn lint:js — pass
  • Android e2e: auth provider credential tests pass, including native signInWithCredential for id-token-only Google credentials (no accessToken cannot be empty)

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses an issue where Google sign-in flows using Android Credential Manager (which provide an ID token without an access token) were failing on the native Android bridge. By ensuring that empty access tokens are explicitly converted to null before being passed to the Firebase Android SDK, the change aligns the implementation with the expected API behavior for id-token-only authentication.

Highlights

  • Android Credential Manager Compatibility: Updated the Android native bridge to correctly handle id-token-only Google sign-in flows by mapping empty or null access tokens to null, satisfying Firebase Android SDK requirements.
  • Test Coverage: Added comprehensive unit and E2E tests to verify that GoogleAuthProvider correctly processes id-token-only credentials and avoids 'accessToken cannot be empty' errors on Android.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces support for Google ID-token-only credentials by mapping empty access tokens to null on Android, preventing the native Firebase SDK from rejecting them, and adds corresponding unit and E2E tests. However, the current implementation breaks the access-token-only flow because an empty ID token (authToken) is still passed as an empty string instead of null. To resolve this, both empty ID tokens and empty access tokens should be mapped to null before calling the native SDK.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@mikehardy mikehardy force-pushed the fix/issue9081 branch 2 times, most recently from 40ac29a to 0adf550 Compare July 2, 2026 00:21
@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.77%. Comparing base (a4b3407) to head (9410949).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #9082      +/-   ##
==========================================
+ Coverage   58.72%   58.77%   +0.05%     
==========================================
  Files         333      333              
  Lines       24985    24985              
  Branches     4149     4149              
==========================================
+ Hits        14671    14682      +11     
+ Misses       9577     9568       -9     
+ Partials      737      735       -2     
Flag Coverage Δ
android-native 42.59% <ø> (-0.05%) ⬇️
e2e-ts-android 42.59% <ø> (-0.05%) ⬇️
e2e-ts-ios 51.91% <ø> (+0.09%) ⬆️
e2e-ts-macos 41.29% <ø> (ø)
ios-native 51.91% <ø> (+0.09%) ⬆️
jest 46.27% <ø> (+0.06%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mikehardy

Copy link
Copy Markdown
Collaborator Author

tiny fix, I've looked at it pretty deeply and it's been through 2 adversarial reviews at this point - going to merge

@mikehardy mikehardy merged commit 2776d1b into main Jul 2, 2026
22 checks passed
@mikehardy mikehardy deleted the fix/issue9081 branch July 2, 2026 01:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[🐛] GoogleAuthProvider.credential fails on Android when idToken is present and accessToken is null

1 participant