Skip to content

Implement R-GCIP Token-Only Session via ExchangeToken #15041

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Parent: Adding Sample App Changes
merged 3 commits into from
Jun 26, 2025
Merged

Implement R-GCIP Token-Only Session via ExchangeToken #15041

merged 3 commits into from
Jun 26, 2025

Conversation

@srushtisv
Copy link
Contributor

Description

This PR introduces support for a "token-only" session mode, primarily for Bring Your Own CIAM (BYO-CIAM) use cases with Regionalized GCIP (R-GCIP). This allows developers to use Firebase services with a Firebase token obtained from a third-party OIDC provider, without creating a User entity or a standard Firebase Auth session.

Key Changes

  • New Public API (Auth.exchangeToken): Adds exchangeToken(idToken:idpConfigId:completion:) and its async counterpart. This method exchanges a third-party OIDC ID token for a Firebase ID token.
  • Token-Only Session State: A new private property, _rGCIPFirebaseToken, has been added to the Auth class to store the token returned from exchangeToken. This state is mutually exclusive with currentUser.
  • AuthInterop Modification: The getToken(forcingRefresh:completion:) method in the AuthInterop extension has been updated. It now first checks for an active R-GCIP token session.
    • If an active, non-expired token exists, it is returned.
    • If the token is expired or forceRefresh is true, an AuthErrorCode.userTokenExpired error is returned, signaling that the developer must call exchangeToken again.
    • If no R-GCIP token exists, the logic falls back to the original implementation using currentUser.
  • State Invalidation: Standard sign-in flows (e.g., signInWithEmail:password:) now clear the R-GCIP token session to prevent conflicting states.
  • Unit Tests: Added a new test suite, ExchangeTokenRequestTests.swift, to validate the URL construction and body of the new API request. Updated AuthTests.swift to cover the new AuthInterop logic paths.

Changelog

  • Added support to Auth.exchangeToken(idToken:idpConfigId:completion:) R-GCIP sessions by exchanging a third-party OIDC token for a Firebase token.
  • The AuthInterop protocol now supports a token-only authentication state, which is activated by a successful exchangeToken call.

@gemini-code-assist
Copy link
Contributor

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in issue comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

@srushtisv srushtisv mentioned this pull request Jun 24, 2025
Closed
@google-oss-bot
Copy link

1 Warning
⚠️ Did you forget to add a changelog entry? (Add #no-changelog to the PR description to silence this warning.)

Generated by 🚫 Danger

@srushtisv srushtisv marked this pull request as ready for review June 24, 2025 23:10
@srushtisv srushtisv requested review from ncooke3 and pashanka and removed request for ncooke3 June 24, 2025 23:21
ncooke3
ncooke3 reviewed Jun 25, 2025
View reviewed changes
@srushtisv srushtisv requested a review from ncooke3 June 26, 2025 07:58
@srushtisv srushtisv merged commit a9f9b4c into sample-app-byociam Jun 26, 2025
53 checks passed
@srushtisv srushtisv deleted the interop-byociam branch June 26, 2025 09:41
@firebase firebase locked and limited conversation to collaborators Jul 26, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@pashanka pashanka pashanka approved these changes

@ncooke3 ncooke3 Awaiting requested review from ncooke3

Assignees

No one assigned

Labels

api: auth

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@srushtisv @google-oss-bot @ncooke3 @pashanka