Flutter phone authentication with play integrity api.

[salman0017]

Flutter phone authentication not working since safety net device verification is deprecated.

For the new projects created after January safety net option not available we must use play integrity api.

1. Enabled play integrity api from firebase project.
2. Linked Firebase project as suggested here https://firebase.google.com/docs/app-check/android/play-integrity-provider.
3. enabled play integrity from flutter code as suggested here https://firebase.google.com/docs/app-check/flutter/default-providers

still its redirecting to browser page asking us to verify app with reCAPTCHA.

in the browser page im getting this error: 'Unable to process request due to missing initial state. This may happen if browser sessionStorage is inaccessible or accidentally cleared.'

when we press back I'm getting 'Missing client identifier error'

[Technorocker]

I too am getting this error and cant figure out why.

I have setup Play integrity in google cloud and link myproject, also using the debug token thats given from the app and registered it inside the project.

[harshanacz]

Did you find any solution for it?

[luckyhandler]

There's an ongoing incident on this topic
https://status.firebase.google.com/incidents/UY1LTFan8X5oybhphzfV

Does this mean that phone authentication on Android is currently not working? If yes, I don't understand why this is not considered high priority. The Device Verification API cannot be activated any longer and the new setup doesn't work. Or are we missing anything?

[luckyhandler]

I had to remove the "Android apps" restriction from my Android API key --> now at least the reCAPTCHA flow works!

[luckyhandler]

As of today the Play Integrity API is working again and the app doesn't go into the reCAPTCHA flow any more but uses the primary one.

[Daquiver1]

Can you show me how you implemented it? I've followed the docs and made all the changes but whenever a user logs in, it initiates the web recaptcha flow. Spent hours on it and don't know what to do right now.

[nohe427]

Thanks for reporting this issue. I believe that there are potentially a few instances where the fallback to reCAPTCHA could occur:

1. The wrong version of firebase_auth is used. firebase_auth version 4.4.0 is the first version to support Play Integrity API for SMS verification.
2. You only have a SHA-1 certificate fingerprint registered in the Firebase console. You will need to have the SHA-256 fingerprint certificate registered.
3. You have the wrong certificate registered. You may have accidentally used your upload certificate rather than the Google Play Signing certificate. You can validate that the Google Play Signing certificate is registered by visiting the Google Play Console, selecting your application, and then in the right hand bar, under Setup, selecting App Integrity. Then in the main window, select App signing and validate that your App signing key certificate (SHA-256 and SHA-1) are registered in the Firebase console. You can also use Peter’s Asset Link Tool to validate that the app deployed on your device is using the right fingerprint as well. This video, while a little outdated and targeted for a web audience, can help you find where in the console to grab your SHA-256 fingerprint.
4. You deployed straight to your phone rather than downloaded the app from the Play Store. The app needs to come from the Play Store on a real device for Play Integrity API to be used. Otherwise, it may fall back to reCAPTCHA.
5. You may have exhausted your daily quota of 10,000 API calls per day. If so, you can request a lift on the limit.

A few other notes:

• App Check is not required to be set up on the device. Play Integrity API is baked into the firebase_auth package and no additional client setup is required (other than registering certificate fingerprints from the Google Play Console, etc..).
• Off play flows are not supported - you must download the app from Google Play and be running on a real device for this to work.
• You must register the Google Play Signing Certificate if your app uses Play Signing (unless you were published prior to August 2021 and didn’t upgrade to Play Signing, you likely are using Play Signing).
• Also, ensure you are running the latest version of Google Play services.

@luckyhandler - Phone authentication is still working on Flutter Android and Android. Phone authentication is falling back to reCaptcha for attestation rather than using the Play Integrity API.

If you are unable to get the reCaptcha flow working as well, visit this comment which provides some additional troubleshooting and validation steps to ensure that your app is able to at least fallback to reCaptcha while Play Integrity is being restored as the client verification method.

[luckyhandler]

Hey @AndrewTran2018 It's the key you use in your google-services.json file and which is defined under api_key. You can find it at https://console.cloud.google.com/apis/credentials under API Keys

[AndrewTran2018]

Hey @AndrewTran2018 It's the key you use in your google-services.json file and which is defined under api_key. You can find it at https://console.cloud.google.com/apis/credentials under API Keys

Thank, I saw it. Do I need to activate to begin integrating PlayIntegrity with 300 bucks credit? @luckyhandler

[nohe427]

Hey @AndrewTran2018 It's the key you use in your google-services.json file and which is defined under api_key. You can find it at https://console.cloud.google.com/apis/credentials under API Keys

Thank, I saw it. Do I need to activate to begin integrating PlayIntegrity with 300 bucks credit? @luckyhandler

If you are still seeing the reCaptcha page, it's due to play integrity not being set as the client verification method. This is expected behavior at the moment due to https://status.firebase.google.com/incidents/UY1LTFan8X5oybhphzfV and potentially not having a Google play deployed app.

Removing api key restrictions is for if reCaptcha appears but no sms message is sent. Are you still getting sms messages?

[AndrewTran2018]

Hey @AndrewTran2018 It's the key you use in your google-services.json file and which is defined under api_key. You can find it at https://console.cloud.google.com/apis/credentials under API Keys

Thank, I saw it. Do I need to activate to begin integrating PlayIntegrity with 300 bucks credit? @luckyhandler

If you are still seeing the reCaptcha page, it's due to play integrity not being set as the client verification method. This is expected behavior at the moment due to https://status.firebase.google.com/incidents/UY1LTFan8X5oybhphzfV and potentially not having a Google play deployed app.

Removing api key restrictions is for if reCaptcha appears but no sms message is sent. Are you still getting sms messages?

Yes, I still receive sms messages on device. However, it took so long.

[AndrewTran2018]

Hey @AndrewTran2018 It's the key you use in your google-services.json file and which is defined under api_key. You can find it at https://console.cloud.google.com/apis/credentials under API Keys

Thank, I saw it. Do I need to activate to begin integrating PlayIntegrity with 300 bucks credit? @luckyhandler

If you are still seeing the reCaptcha page, it's due to play integrity not being set as the client verification method. This is expected behavior at the moment due to https://status.firebase.google.com/incidents/UY1LTFan8X5oybhphzfV and potentially not having a Google play deployed app.

Removing api key restrictions is for if reCaptcha appears but no sms message is sent. Are you still getting sms messages?

And yes, the reCatcha page appeared @nohe427

[AndrewTran2018]

It is clearly that at present Play Integrity migration is a big hurt for developers, so the deadline of Play Store is ridiculous.

[AndrewTran2018]

It is clearly that at present Play Integrity migration is a big hurt for developers, so the deadline of Play Store is ridiculous.

@nohe427
Do you have any suggestion? After several times of login on device, I received device blocking messages from Google. Really tired.

[AndrewTran2018]

@luckyhandler Should I roll back to using SafetyNet until the problem is fixed?

[luckyhandler]

@AndrewTran2018 I don't know what you mean by rolling back, but if you deactivated the "Device Verification API" - like me - it's a point of no return. You will have to wait until the bug is fixed.

[AndrewTran2018]

Device Verification API"

I only found "[Google Play Integrity API]" in GCC, is that a replacement of "Device Verification API" being deprecated?
@luckyhandler

[Patryk999]

I have problem related to this issue. Captcha flow works locally but it looks like it doesn't work on Google Play app version.
Followed all steps listed by @nohe427, configured SHA-1 properly and doesn't have restriction for Android API key.
It looks like the app is not even opening the browser.
Do you have any suggestion what might be missing?

[nohe427]

Do you have the sha-256 cert fingerprint from the play console added to firebase?

[Patryk999]

Do you have the sha-256 cert fingerprint from the play console added to firebase?

Yes, both sha-256 and sha-1.

[AndrewTran2018]

I have problem related to this issue. Captcha flow works locally but it looks like it doesn't work on Google Play app version. Followed all steps listed by @nohe427, configured SHA-1 properly and doesn't have restriction for Android API key. It looks like the app is not even opening the browser. Do you have any suggestion what might be missing?

Mine exactly the same, even only AndroidProvider.debug works on emulator. Following ...

[nohe427]

Do you have the sha-256 cert fingerprint from the play console added to firebase?

Yes, both sha-256 and sha-1.

What does log cat give you for information? What version of firebase_auth and firebase_core are running on the Play Store version?

[AndrewTran2018]

@nohe427 @luckyhandler Please help check the steps I did to integrate Play Integrity:

1. Enable Play Integrity API in GCC, link the project in Play Store Console,
2. Registering it in Firebase Console.
3. Add code in the guide and now only AndroidProvider.debug works with reCaptchar fallback on emulator.

Many thanks.

[nohe427]

3. the guide

AppCheck and Auth are two different things. The guide you sent is for AppCheck, so that may be where you are getting stuck.

Based on only getting reCaptcha flow working on emulators, it sounds like you did not register the Play Store SHA 256 and SHA 1 keys, but may have only registered your SHA256 key from the Play Store. This guide should help with validating your setup : #10593 (comment)

[AndrewTran2018]

3. the guide

AppCheck and Auth are two different things. The guide you sent is for AppCheck, so that may be where you are getting stuck.

Based on only getting reCaptcha flow working on emulators, it sounds like you did not register the Play Store SHA 256 and SHA 1 keys, but may have only registered your SHA256 key from the Play Store. This guide should help with validating your setup : #10593 (comment)

Nope! I did all of these things already. I did not mention the configuration in the prev post because it is de facto. Everything is correct. This morning, the SMS message finally arrived my phone after almost an hour., and of course expired already. Check out the attached screen. It is the problem of Google and many developers have to suffer. @nohe427

[nohe427]

@AndrewTran2018 - Which region are you in and which region is your project located in? Can you confirm that you have tried the SMS OTP flow in a different physical location to ensure its not due to cell reception?

[AndrewTran2018]

This morning, first time ever, the OTP sms came in time and the authentication process ran as designed. It seems the problem gets fixed. @nohe427

[nohe427]

This morning, first time ever, the OTP sms came in time and the authentication process ran as designed. It seems the problem gets fixed. @nohe427

Yes, I posted an update in the other thread
Glad to hear it's working for you now

[liuzs0666]

We get impacted by this bug. Double checked the SHA256 and SHA1 key matches my local APK and the one on Play Store console.

More importantly, our clients have reported that reCaptcha also fails for them. In the popup web page, it says:

Unable to process request due to missing initial state. This may happen if browser sessionStorage is inaccessible or accidentally cleared.

Please help! This is blocking the normal user flow.

[Daquiver1]

From reading the issue, I'm assuming that play integrity requires the app to be on the play store, but If that's the case then how can I use it if I'm still in the production stage?
From the flutter firebase docs, they suggested that I use AndroidProvider.Debug for the development stage, but when I do that and turn on app check enforcement, all my requests get blocked with the message Invalid token.
And I've confirmed that I'm using the right sha-256.

[nohe427]

For pre-production, the recommendation is to use fictional numbers. The AndroidProvider.Debug is for AppCheck, not for Phone Authentication.

[EngrTAHAR-Noureddine]

Hello everyone! I wanted to share the solution I found for a problem I was facing. Initially, I hadn't restricted the API key for Google Cloud of Firebase, specifically the Android API key. I did this to test if Firebase Auth was functioning correctly. After confirming that Firebase phone authentication was working fine, I proceeded to restrict the API key by using the app signing key from the Google Console and the SHA-1 from my Android Studio for debugging purposes. Hence, the issue I was encountering did not relate to AppCheck or activating Android device verification. The key point was to ensure that the Firebase API key was restricted in a manner similar to the API key used by Google Cloud. I'm grateful for this forum, which provided me with the necessary solutions and hints. Thank you!