Search code examples
cookiesoauth-2.0firebase-authenticationgoogle-authenticationmongodb-stitch

Use Google Firebase Authentication without 3rd Party Cookies


I'm currently experimenting with Social Media Sign-in and have realised something slightly strange on how these logins are delivered which is stemming from the fact that my workplace, like most offices, blocks 3rd party cookies as a security policy.

Google Firebase Authentication uses 3rd party cookies and so if I try to use Firebase, I'm redirected to the Google page (as expected) but when I'm redirected back to the originating webpage after logging in (and Firebase tries to set cookies), I get an error saying This browser is not supported or 3rd party cookies and data may be disabled.

However, MongoDB Stitch somehow works and I'm able to actually login, even with 3rd party cookies disabled. I really can't seem to make sense of why that's the case but I'm hoping someone here can shed some light on it. If it helps, MongoDB Stitch asks that you set https://stitch.mongodb.com as Origin URI and https://stitch.mongodb.com/api/client/v2.0/auth/callback as Authorised Redirect URI in the Google Console - whilst you have to setup your own website URIs inside the MongoDB Console which I believe might be the difference?

In any case, MongoDB Stitch's documentation is severely deficient (thanks to it still being in Public Beta) so I would really like to go the Google Firebase way if at all possible.

  1. Does anyone know how MongoDB Stitch is able to bypass setting 3rd Party Cookies
  2. How can I use Google Firebase Authentication whilst 3rd Party Cookies are disabled

Solution

  • Have you tried using gapi.auth2, the Google sign in library for Javascript? Last time I checked, it worked with 3rd party cookies disabled. You can use it to obtain a Google ID token or access token and then sign in to Firebase:

    firebase.auth().signInWithCredential(firebase.auth.GoogleAuthProvider.credential(googleIdToken, googleAccessToken))...`