How to sign a Azure AD user into Firebase in a Flutter mobile app?

Question

For a Flutter mobile app I am trying to use a Microsoft OAuthProvider to get a Firebase credential with which to sign the user into Firebase with their Azure AD account.

The closest I got was using a third party Active Directory auth package to log the user in and get an access token. However the sign-in to Firebase fails with an error message that suggests the idToken is invalid.

final AadOAuth oauth = new AadOAuth(config);
await oauth.login();

// accessToken looks legit
String accessToken = await oauth.getAccessToken();

String idToken = await oauth.getIdToken();

OAuthProvider provider = OAuthProvider('microsoft.com');

// Also tried the constructor without the idToken
OAuthCredential credential = provider.credential(accessToken: accessToken, idToken: idToken);

// app fails here:
await FirebaseAuth.instance.signInWithCredential(credential);

// this works fine, but only on web platform:
await FirebaseAuth.instance.signInWithPopup(provider);

Because it is a platform specific error (iOS in this case), the exception details are not surfaced. All I get is:

PlatformException(internal-error, ) nativeErrorCode: 17999

Here is my app settings in the Azure portal:

Full manifest here

Has anyone been successful in using Microsoft Auth to sign a user in to Firebase in a Flutter mobile app?

Answer 1

You can use Firebase Auth OAuth package for it.

And sign in to the firebase using the Microsoft Auth provider.

User user = await FirebaseAuthOAuth().openSignInFlow(
  "microsoft.com", ["email openid"], {'tenant': 'your-tenent-id'});

This integrates nicely with firebase so, firebase authStateChange also works with this method.

Answer 2

You have just to not receiving idToken, just verify that you have add the id_token for the response_type and also openid scope like

provider.addScope('openid');

Also check weather you have allowed implicit flow with id token in the Azure portal app settings (you sould check ID tokens on the Authentication tab under Implicit grant section).

Answer 3

Ok than have you added Microsoft as a authentication provider in the firebase authentication configuration Sign-in method page? And also have you tried to authenticate with Auth, after getCredentials method as stated in the documentation ?

provider.getCredentialWith(nil) { credential, error in
  if error != nil {
    // Handle error.
  }
  if credential != nil {
    Auth().signIn(with: credential) { authResult, error in
      if error != nil {
        // Handle error.
      }
      // User is signed in.
      // IdP data available in authResult.additionalUserInfo.profile.
      // OAuth access token can also be retrieved:
      // authResult.credential.accessToken
      // OAuth ID token can also be retrieved:
      // authResult.credential.idToken
    }
  }
}

Answer 4

firebase authentication package has a method called signInWithPopup so you don't need firebase_auth_oauth anymore. here my code:

Future<UserCredential?> loginWithMicrosoft() async {
  OAuthProvider provider = OAuthProvider('microsoft.com');
  provider.setCustomParameters({
          "tenant": "your-tenant-id",
        });
  provider.addScope('user.read');
  provider.addScope('profile');
  try {
    final userCredential = await FirebaseAuth.instance.signInWithPopup(provider);
    return userCredential;
  } on FirebaseAuthException catch(err) {
    debugPrint(err.message);
    // Handle FirebaseAuthExceptions
    // ex: firebase_auth/account-exists-with-different-credential
  }
}

Remeber add the redirect URI and enable de scopes in Azure Portal.