Firebase not accepting JWT acquired from Google Identity Platform's REST API: 'The custom token format is incorrect.'

Question

I'm trying to enable multifactor auth in my Flutter project, which is only targeting the web platform. As I understand, the latest version of the FlutterFire SDK does not support MFA. This is why I'm trying to use the Google Identity Platform APIs to add the feature to my app.

I can already acquire a token from the REST API, but when passing it to the signInWithCustomToken() method, I always get this error: 'The custom token format is incorrect...'

Here is how I'm trying to sign a user in:

1. Use http package to post to https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword
2. Start MFA by posting to https://identitytoolkit.googleapis.com/v2/accounts/mfaSignIn:start
3. Get the SMS verification code from the message sent to the user's phone number.
4. Post to https://cloud.google.com/identity-platform/docs/reference/rest/v2/accounts.mfaSignIn/finalize with the SMS verification code.
5. Get the idToken from the response body.
6. Pass the acquired idToken to the FirebaseAuth.signInWithCustomToken() method.

Looking at this Firebase doc, it appears that the token I get from GIP REST API is formatted differently.

Is there anything I can do so that the Firebase SDK accepts the tokens I get from the Google Identity Platform REST API?

Answer 1

The Firebase signInWithCustomToken() method takes a token generated by the Admin SDK, not a Google Identity token.

Tokens returned by GCIP (Google Cloud Identity Platform) are the same Auth ID tokens used by Firebase. After calling finalizeMfa you have essentially signed into Firebase, and if you begin to use the SDK, you'll see that it works at this point without any conversion.