OIDCgetRedirectResultfails to complete on secondary authorized domain #9159
Description
Operating System
macOS 15.1
Environment (if applicable)
Chrome 137
Firebase SDK Version
11.9.1
Firebase SDK Product(s)
Auth
Project Tooling
Angular 19 with Webpack``
Detailed Problem Description
I have configured Firebase Authentication with a generic OIDC provider (Keycloak) using the Implicit flow. The authentication flow works perfectly when the application is hosted on its primary firebase domain (firebaseapp.com). However, when the exact same application is hosted on a secondary domain (domain-b.com), the flow fails to complete. Both domains are correctly listed in the "Authorized Domains" section of the Firebase console.
The key symptom is that after a successful login at the IdP, the user is correctly redirected to the Firebase auth handler (https://[YOUR_PROJECT_ID].firebaseapp.com/__/auth/handler). However, the final redirect from the Firebase handler back to my application on the secondary domain never occurs. Consequently, the getRedirectResult() promise in the client-side code never resolves with a user credential, and the sign-in process silently fails. If I watch the browser console I can see signInWithIdp endpoint only with the primary domain, and no one with the others.
Expected behavior:
When the flow is initiated from secondary-app.com, after successful authentication at the IdP, the Firebase __/auth/handler service should correctly redirect the user back to the originating domain (secondary-app.com). The getRedirectResult() promise in the client application should then resolve with the UserCredential object and the signInWithIdp call should be executed.
Actual behavior:
The flow breaks after the redirect to the Firebase __/auth/handler. There is a redirect back to the application on the secondary domain. The getRedirectResult() promise returns user and credentials null and signInWithIdp is not executed. The process fails silently from the client's perspective.
This is the standard code used in the application on both domains.
// Function to start the login
function login() {
const auth = getAuth();
const provider = new OAuthProvider("oidc.my-keycloak-provider"); // Provider ID from Firebase Console
signInWithRedirect(auth, provider);
}
// Code executed on page load to handle the redirect
getRedirectResult(auth)
.then((result) => {
if (result) {
// This block is NEVER reached when the flow starts from the secondary domain
console.log("Sign-in successful!", result.user);
const credential = OAuthProvider.credentialFromResult(result);
// ...
}
})
.catch((error) => {
// This block is also not reached
console.error("Error during redirect result:", error);
});
Steps and code to reproduce issue
Configure Firebase Auth:
Set up a generic OIDC provider (Keycloak).
In Firebase Console -> Authentication -> Settings -> Authorized Domains, add two different domains: primary-app.com and secondary-app.com.
Configure OIDC Provider (Keycloak):
Create a client with the "Implicit Flow" enabled.
Set the only "Valid Redirect URI" to the Firebase callback URL: https://[YOUR_PROJECT_ID].firebaseapp.com/__/auth/handler.
Configure the client as "public".
In the Firebase console, configure the OIDC provider with the correct Issuer URL, Client ID, and Client Secret.
Deploy Application:
Deploy the same Firebase web application to both https://primary-app.com and https://secondary-app.com. The application code uses signInWithRedirect to initiate the flow and getRedirectResult to handle the result, as shown below.
Execute and Observe:
On primary-app.com: Initiate the sign-in flow. The user authenticates with Keycloak and is successfully redirected back to primary-app.com, and getRedirectResult() resolves correctly. The user is logged in. I can see in the browser network tab the "signInWithIdp" endpoint
On secondary-app.com: Initiate the sign-in flow. The user authenticates with Keycloak. The browser's network tab shows a 302 redirect from Keycloak to https://[YOUR_PROJECT_ID].firebaseapp.com/__/auth/handler. After this, the flow stops. The browser either stays on a blank page or is redirected to the application's root on secondary-app.com without a valid session. getRedirectResult() never resolves, and no error is caught. I can't see in the browser network tab the "signInWithIdp" endpoint