[Auth-UI] [10.0.0-beta01] Hardcoded 'filterByAuthorizedAccounts=true' blocks new user Sign-Up flows

[JBokMan]

In the current beta implementation (10.0.0-beta01) of firebase-auth-ui, the signInWithGoogle function in FirebaseAuthUI hardcodes filterByAuthorizedAccounts = true when initializing the CredentialManager request.

While this setting is correct for minimizing friction for returning users, it causes a critical failure for new users (Sign Up) or developers testing with new build signatures. Because the library does not attempt a fallback or allow configuration, new users are met with a NoCredentialException (or a UI hang) and cannot access the account selection screen to create an account.

Environment:

• Library Version: com.firebaseui:firebase-ui-auth:10.0.0-beta01
• Android Version: Android 14+ (UpsideDownCake)
• Device: [Samsung S25 Ultra/ Emulator]

Steps to Reproduce:

1. Clean install the app on a device (ensure no Google account has previously authorized this specific app package/SHA-1).

2. Launch the AuthUI sign-in flow with Google provider enabled.

3. Click the "Sign in with Google" button.

4. Observed Behavior: The operation fails immediately with NoCredentialException

I get this error

CredManProvService GetCredentialResponse error returned from framework

If I isolate the code from the library and run it by itself I can observe this error:

androidx.credentials.exceptions.NoCredentialException: No credentials available
                                                                                                    	at androidx.credentials.internal.ConversionUtilsKt.toJetpackGetException(ConversionUtils.kt:82)
                                                                                                    	at androidx.credentials.CredentialProviderFrameworkImpl.convertToJetpackGetException$credentials_release(CredentialProviderFrameworkImpl.kt:295)
                                                                                                    	at androidx.credentials.CredentialProviderFrameworkImpl$onGetCredential$outcome$2.onError(CredentialProviderFrameworkImpl.kt:162)
                                                                                                    	at androidx.credentials.CredentialProviderFrameworkImpl$onGetCredential$outcome$2.onError(CredentialProviderFrameworkImpl.kt:150)
                                                                                                    	at android.credentials.CredentialManager$GetCredentialTransport.lambda$onError$2(CredentialManager.java:828)
                                                                                                    	at android.credentials.CredentialManager$GetCredentialTransport.$r8$lambda$_rg2Q59c21DJrPoh5aAnwNR78wQ(Unknown Source:0)
                                                                                                    	at android.credentials.CredentialManager$GetCredentialTransport$$ExternalSyntheticLambda0.run(D8$$SyntheticClass:0)
                                                                                                    	at androidx.credentials.CredentialManager$$ExternalSyntheticLambda0.execute(D8$$SyntheticClass:0)
                                                                                                    	at android.credentials.CredentialManager$GetCredentialTransport.onError(CredentialManager.java:827)
                                                                                                    	at android.credentials.IGetCredentialCallback$Stub.onTransact(IGetCredentialCallback.java:125)
                                                                                                    	at android.os.Binder.execTransactInternal(Binder.java:1462)
                                                                                                    	at android.os.Binder.execTransact(Binder.java:1401)

Expected Behavior: If no authorized account is found, the library should fallback to filterByAuthorizedAccounts = false (or allow the developer to configure this) to show the user's Google accounts for sign-up.

Code Analysis: The issue is located in GoogleAuthProvider+FirebaseAuthUI.kt (approx. line 140). The GetGoogleIdOption is built with a hardcoded filter:

// Current Implementation
val result = (testCredentialManagerProvider ?: credentialManagerProvider).getGoogleCredential(
    context = context,
    credentialManager = CredentialManager.create(context),
    serverClientId = provider.serverClientId!!,
    filterByAuthorizedAccounts = true, // <--- BLOCKER: Prevents new users from seeing accounts
    autoSelectEnabled = false
)

Documentation Reference: According to the Android Credential Manager documentation, the recommended pattern is to first try with true, and if it fails, try again with false:

If no authorized Google Accounts are available, the user should be prompted to sign up with any of their available accounts. To do this, prompt the user by calling the API again and setting setFilterByAuthorizedAccounts to false.

Currently, FirebaseUI does not support this fallback or configuration.

Another small issue is that the AuthProvider.Google allows serverClientId to be null but in the code above it requires the serverClientId to be non null serverClientId = provider.serverClientId!! this leads to a crash.

[demolaf]

Hi @JBokMan , thanks for the detailed issue report. To help me reproduce this issue better, can I know if there's a google account signed in on the device or no accounts?

Also, for the serverClientId being null there are preconditions in AuthUIConfiguration and validate functions in each of the providers so this shouldn't happen but I do see that we are not using default_web_client_id that'll be fixed in the next beta release.

[JBokMan]

There was a google account signed in on the device.

But I was not able to reproduce it with the emulator where the google account was signed in once using filterByAuthorizedAccounts = false. But I could reproduce it:

1. using a new emulator
2. where I first logged into a google account via the play store app
3. Then ran this code

    val androidContext = LocalContext.current

    val provider =
        AuthProvider.Google(
            scopes = listOf("email"),
            serverClientId = stringResource(R.string.default_web_client_id),
        )

    val authConfiguration = authUIConfiguration {
        context = androidContext
        providers { provider(provider) }
        tosUrl = TERMS_OF_SERVICE_URL
        privacyPolicyUrl = PRIVACY_POLICY_URL
        logo = AuthUIAsset.Resource(R.drawable.ic_launcher)
    }

    FirebaseAuthScreen(
        configuration = authConfiguration,
        // The success callback is triggered when the user signs in
        onSignInSuccess = { result ->
            Log.e("FirebaseAuthScreen", "User signed in ${result.user}")
            // Handle the result
        },
        onSignInFailure = { exception ->
            Log.e(
                "FirebaseAuthScreen",
                "Failed to sign in ${exception.message}, ${exception.cause}",
            )
            // Handle the error
        },
        onSignInCancelled = {
            // Handle the cancellation
            Log.e("FirebaseAuthScreen", "User cancelled sign in")
        },
    )

4. to fix the issue it I threw together this code:

     val scope = rememberCoroutineScope()

    Box(modifier = Modifier.fillMaxSize()) {
        Button(
            modifier = Modifier.align(Alignment.Center),
            onClick = {
                scope.launch {
                    signInWithGoogle(
                        context = androidContext,
                        provider = provider,
                    )
                }
            },
        ) {
            Text("Sign in")
        }
    }

...

suspend fun signInWithGoogle(
    context: Context,
    provider: AuthProvider.Google,
    authorizationProvider: AuthorizationProvider = DefaultAuthorizationProvider(),
    credentialManagerProvider: AuthProvider.Google.CredentialManagerProvider = AuthProvider.Google.DefaultCredentialManagerProvider(),
) {
    if (provider.scopes.isNotEmpty()) {
        val requestedScopes = provider.scopes.map { Scope(it) }
        authorizationProvider.authorize(context, requestedScopes)
    }

    val result =
        (credentialManagerProvider).getGoogleCredential(
            context = context,
            credentialManager = CredentialManager.create(context),
            serverClientId = provider.serverClientId!!,
            filterByAuthorizedAccounts = false, //<--- statically set to false because true results in the issue
            autoSelectEnabled = false,
        )

    val auth = FirebaseAuth.getInstance()

    auth.signInWithCredential(result.credential).await()
}

interface AuthorizationProvider {
    suspend fun authorize(context: Context, scopes: List<Scope>)
}

class DefaultAuthorizationProvider : AuthorizationProvider {
    override suspend fun authorize(context: Context, scopes: List<Scope>) {
        val authorizationRequest = AuthorizationRequest.builder()
            .setRequestedScopes(scopes)
            .build()

        Identity.getAuthorizationClient(context)
            .authorize(authorizationRequest)
            .await()
    }
}