This document shows you how to use Identity Platform to sign in users with an OpenID Connect (OIDC) provider.
Before you begin
-
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
-
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
- Enable Identity Platform, and add the Client SDK to your app. See the Quickstart to learn how.
Configuring the provider
Go to the Identity Providers page in the Cloud Console.
Go to the Identity Providers pageClick Add a Provider, and select OpenID Connect from the list.
Enter the following details:
The Name of the provider. This can be the same as the provider ID, or a custom name. If you enter a custom name, click Edit next to Provider ID to specify the ID (which must begin with
oidc.
).The provider's Client ID.
The provider's Issuer. This should look something like
https://example.com.
Identity Platform uses this URL to locate the OIDC discovery document (typically found at/.well-known/openid-configuration
), which specifies the provider's OAuth endpoints and public keys.
Add your app to the list of Authorized Domains. For example, if your app's sign-in URL is
https://example.com/login
, addexample.com
.Configure the Identity Platform callback URL as a redirect URL with your OIDC provider. The URL should look similar to
https://[PROJECT-ID]/__/auth/handler
.Click Save.
Signing in users
There are two ways to sign in users with OIDC:
Using an implicit OAuth flow. This approach completes the OAuth handshake for you.
Using the OIDC provider's ID token. This method assumes you already have an OIDC token available.
Signing in users with OAuth
To sign in using OAuth:
Create an
OAuthProvider
instance with the provider ID you configured in the previous section. The provider ID must start withoidc.
.const provider = new firebase.auth.OAuthProvider('oidc.myProvider');
Start the sign in flow. You can choose to either use a popup or a redirect.
Popup
To show a popup, call
signInWithPopup()
:firebase.auth().signInWithPopup(provider) .then((result) => { // result.credential is a firebase.auth.OAuthCredential object. // result.credential.providerId is equal to 'oidc.myProvider'. // result.credential.idToken is the OIDC provider's ID token. }) .catch((error) => { // Handle error. });
Redirect
To redirect to a sign-in page, call
signInWithRedirect()
:firebase.auth().signInWithRedirect(provider) .catch((error) => { // Handle error. });
Then, call
getRedirectResult()
to get the results when the user returns to your app:// On return. firebase.auth().getRedirectResult() .then((result) => { // result.credential is a firebase.auth.OAuthCredential object. // result.credential.providerId is equal to 'oidc.myProvider'. // result.credential.idToken is the OIDC provider's ID token. }) .catch((error) => { // Handle error. });
At the conclusion of either flow, you can get the OIDC ID token using the
result.credential.idToken
field.
Signing in users directly
To sign a user in with an OIDC ID token directly:
Initialize an
OAuthProvider
instance with the provider ID you configured in the previous section. The provider ID must start withoidc.
. Then, create anOAuthCredential
:const provider = new firebase.auth.OAuthProvider('oidc.myProvider'); const credential = provider.credential(oidcIdToken, null);
Call
signInWithCredential()
to sign the user in:firebase.auth().signInWithCredential(credential) .then((result) => { // user now has a odic.myProvider UserInfo in providerData. }) .catch((error) => { // Handle error. });
Linking user accounts
If a user has already signed in to your app using a different method (such as
email/password), you can link their existing account to the OIDC provider using
linkWithPopup()
or linkWithRedirect()
.
For example:
const provider = new firebase.auth.OAuthProvider('oidc.myProvider');
// Link with a popup.
firebase.auth().currentUser.linkWithPopup(provider)
// currentUser.providerData now has an additional entry for this provider.
}).catch((error) => {
// Handle error.
});
Re-authenticating users
Certain sensitive operations, like updating a user's email or password, require
the user to have signed in recently. To sign a user in again, call
reauthenticateWithPopup()
or reauthenticateWithRedirect()
.
For example:
const provider = new firebase.auth.OAuthProvider('oidc.myProvider');
// Reauthenticate with a popup.
firebase.auth().currentUser.reauthenticateWithPopup(provider)
.then((result) => {
// Get the updated ID token.
return result.user.getIdTokenResult();
})
.then((idTokenResult) => {
// idTokenResult.authTime should be updated to reflect recent sign-in status.
// idTokenResult.token has the latest ID token.
})
.catch((error) => {
// Handle error.
});
What's next
- Signing in users with SAML
- Showing a custom domain during sign in
- Managing OIDC and SAML providers programmatically