7

I'm currently experimenting with Social Media Sign-in and have realised something slightly strange on how these logins are delivered which is stemming from the fact that my workplace, like most offices, blocks 3rd party cookies as a security policy.

Google Firebase Authentication uses 3rd party cookies and so if I try to use Firebase, I'm redirected to the Google page (as expected) but when I'm redirected back to the originating webpage after logging in (and Firebase tries to set cookies), I get an error saying This browser is not supported or 3rd party cookies and data may be disabled.

However, MongoDB Stitch somehow works and I'm able to actually login, even with 3rd party cookies disabled. I really can't seem to make sense of why that's the case but I'm hoping someone here can shed some light on it. If it helps, MongoDB Stitch asks that you set https://stitch.mongodb.com as Origin URI and https://stitch.mongodb.com/api/client/v2.0/auth/callback as Authorised Redirect URI in the Google Console - whilst you have to setup your own website URIs inside the MongoDB Console which I believe might be the difference?

In any case, MongoDB Stitch's documentation is severely deficient (thanks to it still being in Public Beta) so I would really like to go the Google Firebase way if at all possible.

  1. Does anyone know how MongoDB Stitch is able to bypass setting 3rd Party Cookies
  2. How can I use Google Firebase Authentication whilst 3rd Party Cookies are disabled
theRealTraveller
  • 135
  • 1
  • 9
  • Whilst not a proper solution per se, Gigya have defined a workaround on the same topic of blocked 3rd party cookies: https://developers.gigya.com/display/GD/Blocked+Third-Party+Cookies – theRealTraveller Feb 13 '18 at 00:31

1 Answers1

2

Have you tried using gapi.auth2, the Google sign in library for Javascript? Last time I checked, it worked with 3rd party cookies disabled. You can use it to obtain a Google ID token or access token and then sign in to Firebase:

firebase.auth().signInWithCredential(firebase.auth.GoogleAuthProvider.credential(googleIdToken, googleAccessToken))...`
bojeil
  • 29,642
  • 4
  • 69
  • 76
  • Thanks @bojeil - I did indeed successfully use `gapi.auth2` with 3rd party cookies disabled but do you know why that works but not the usual Firebase? It might sound like I'm obsessed with Firebase but only because if I'm using Google+Facebook+Twitter+Email, I really would like to avoid using four different libraries from four different providers: Use of something like FirebaseUI, AWS Cognito, or MongoDB Stitch means that I only have one library to worry about. Do you think using `gapi.auth2` and its equivalents is a neccessary evil? – theRealTraveller Feb 14 '18 at 11:09
  • It is an implementation detail. Google sign in library uses other means to pass back the result to the original page. The majority of users do not disable 3rd party cookies as it breaks a lot of applications. This is an edge case. If you have an app that is catered to the type of users that disable 3rd party cookies, you'll have to rely on using the OAuth provider libraries. – bojeil Feb 14 '18 at 17:21
  • Ah, yeah - this makes sense: just for the sake of others who might be reading this answer, email/password registration works with Firebase Authentication even when 3rd party cookies are disabled so one way to implement this would be to let people use sign-in with Google if the 3rd party cookies are enabled or tell them to register through email/password if their 3rd party cookies are disabled: all achieved through FirebaseUI. – theRealTraveller Feb 15 '18 at 09:04
  • 1
    I tried the gapi.auth2 method but I got an error saying it won't init with 3rd party cookies disabled. It seems this too requires third party cookies to be enabled. Is it possible to use social signups on firebase with third party cookies disabled? – Norbert Mar 14 '19 at 16:00
  • 1
    It is not possible to use Firebase Auth popup/redirect flow with 3rd party cookies disabled. – bojeil Mar 21 '19 at 00:26
  • 2
    Is there another Firebase Auth way of signing in with Google, or is Firebase Auth fully incompatible with Google signing with 3rd party cookies disabled? I'm using Firebase for most auth. Is there a way to have a "Sign in with Google" button that works with Firebase and third party cookies disabled at all? What are the alternatives? – Norbert May 08 '19 at 19:34
  • @Norbert have you ever figure this out ? – Ricky Levi Aug 31 '19 at 08:35