signInWithRedirect with FacebookAuthProvider working in iOS but not in IPadOS

[arturomf]

[REQUIRED] Describe your environment

• Operating System version: iPadOS 15.5
• Browser version: Ionic 5 + Angular App
• Firebase SDK version: 9.8.2
• Firebase Product: auth

[REQUIRED] Describe the problem

When using signInWithRedirect method with FacebookAuthProvider, in iOS (iPhone) it's working as intended, but in IPadOS (on iPad) it throws error:

Firebase: This domain is not authorized for OAuth operations for your Firebase project. Edit the list of authorized domains from the Firebase console. (auth/unauthorized-domain).

Steps to reproduce:

Simply try to use the code from https://firebase.google.com/docs/auth/web/cordova with FacebookAuthProvider in cordova App.

Relevant Code:

private async loginWithFacebookNative() {
    const auth = getAuth();
    const provider = new FacebookAuthProvider();
    return signInWithRedirect(auth, provider).then((res) => {
      return getRedirectResult(auth)
    }).then((result) => {
      const credential = FacebookAuthProvider.credentialFromResult(result);
      return result;
    }).catch((error: FirebaseError) => {
      // Handle Errors here.
      console.log('ERROR', error.code);
      console.log('ERROR', error.message);
      console.log('ERROR', error.stack);
    });
  }

[sam-gc]

Hi @arturomf, thanks for filing this. To help us debug, would you please open the Safari remote debugging tools to determine if the redirect URL is the same for both the iPad and iPhone?

[google-oss-bot]

Hey @arturomf. We need more information to resolve this issue but there hasn't been an update in 5 weekdays. I'm marking the issue as stale and if there are no new updates in the next 5 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

[google-oss-bot]

Since there haven't been any recent updates here, I am going to close this issue.

@arturomf if you're still experiencing this problem and want to continue the discussion just leave a comment here and we are happy to re-open this.

[arturomf]

I'm sorry for the delay, I've been on holiday. I have tested both iPhones and iPad. After the signInWithRedirect call, I can see in the Safari console an HTTP request:

iPhone:
https://identitytoolkit.googleapis.com/v1/projects?key=xxxxxxxxxxxxx&iosBundleId=org.changedyslexia.newdytective

iPad
https://identitytoolkit.googleapis.com/v1/projects?key=xxxxxxxxxxxxx

The HTTP request has a different user agent (I think, the problem is here):

iPhone:
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148

iPad:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148

On iPhone, after that request, I have another HTTP Request to:
https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp?key=xxxxxxxxxxxxxxxxxx

On iPad, I get the error.

[sam-gc]

Thanks @arturomf, this was super helpful. It appears the issue is that the iPad's user agent isn't tripping this function:

firebase-js-sdk/packages/auth/src/core/util/browser.ts

Lines 125 to 127 in d87d3a8

	export function _isIOS(ua = getUA()): boolean {
	return /iphone|ipad|ipod/i.test(ua);
	}

We'll need to do some investigating to see if there's a way to determin iPad from that user agent (we don't want to introduce false-positives). It looks like the only thing to go on would be AppleWebKit + Mobile but I'm not convinced that's a safe heuristic.

As an immediate fix, I believe in Cordova you can override the user agent (how depends on platform/version). If you update the user agent on iPad to include the string "iPad" the test linked above will work