Skip to content

firebase-auth: add App Check token exchange for SafetyNet attestation#3602

Open
Meet-hybrid wants to merge 1 commit into
microg:masterfrom
Meet-hybrid:fix/firebase-auth-app-check
Open

firebase-auth: add App Check token exchange for SafetyNet attestation#3602
Meet-hybrid wants to merge 1 commit into
microg:masterfrom
Meet-hybrid:fix/firebase-auth-app-check

Conversation

@Meet-hybrid

Copy link
Copy Markdown

This PR addresses an issue where Firebase Auth requests in GmsCore were being rejected with UNAUTHENTICATED / MISSING_APP_CHECK_TOKEN errors because they lacked the required X-Firebase-AppCheck header.

Changes Made

Constants.java: Added EXTRA_FIREBASE_APP_ID and EXTRA_PROJECT_NUMBER.

AppCheckTokenProvider.kt (New): Implemented token exchange and caching, utilizing SafetyNet attestation (DroidGuard + androidcheck API).

IdentityToolkitClient.kt: Updated to accept AppCheckTokenProvider, refresh the token before requests, and inject the X-Firebase-AppCheck header.

FirebaseAuthService.kt: Modified to parse new extras and pass them to FirebaseAuthServiceImpl.

firebase-auth/core/build.gradle: Added necessary dependencies: play-services-safetynet-core, play-services-droidguard, play-services-droidguard-core, and play-services-tasks-ktx.

Architecture
The AppCheckTokenProvider operates within FirebaseAuthServiceImpl. It manages caching, performs SafetyNet attestation, exchanges JWS for an App Check token via firebaseappcheck.googleapis.com, and injects the required header. If SafetyNet/DroidGuard is disabled or identifiers are missing, the implementation falls back gracefully by returning null.

Add AppCheckTokenProvider that performs SafetyNet attestation via
DroidGuard and exchanges the JWS for a Firebase App Check token at
firebaseappcheck.googleapis.com. Inject the token as the
X-Firebase-AppCheck header in all Identity Toolkit API requests.

Previously, IdentityToolkitClient sent requests without App Check
headers, causing UNAUTHENTICATED rejections from Firebase projects
with App Check enforcement enabled (e.g. com.ridedott.rider).

Includes EXTRA_FIREBASE_APP_ID and EXTRA_PROJECT_NUMBER constants
for the AIDL service binding to provide the required identifiers.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant