4

I have configured an OIDC provider (linked to a Keycloak OIDC provider) in Google Identity Platform console. This is the code in my single page app: 

provider = new firebase.auth.OAuthProvider('oidc.keycloak');
firebaseAuth.auth.signInWithPopup(provider)
      .then(value => {
        log.info(`It worked!`, value);
      })
      .catch(err => {
        log.info('Something went wrong:', err);
      });

The popup window appears and I can login to Keycloak, but after the popup disappears the following error is thrown in the browser:

{code: "auth/admin-restricted-operation", message: "This operation is restricted to administrators only."}

I am using the latest versions of Firebase Client SDK and AngularFire2 and I have successfully configured Email/Password authentication. In Google Identity Platform I have:

Issuer (URL): 

https://auth.example.com/auth/realms/myrealm

and Callback URL: 

https://myapp-12345.firebaseapp.com/__/auth/handler

Is there an additional configuration in the client side that I need to do? Could the issue be with the OIDC provider (Keycloak) and its configuration?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Thomas
  • 185
  • 2
  • 11

1 Answers1

4

It seems that you disabled user signup from the client SDK in your Google Cloud Identity Platform settings (in the Google Cloud Console). This is in the Settings section under User actions. The checkbox Enable create (sign-up) should be checked.

bojeil
  • 29,642
  • 4
  • 69
  • 76
  • 1
    Thanks for your help. Am I right in thinking this enables the public to sign-up to my application and there is no way of limiting sign-up only to users of a specific provider? – Thomas Sep 05 '19 at 13:50
  • This setting is useful in case you do not want users to create their own account but only want a user to be created by an admin (via cloud console or admin sdk). This is typical for enterprise. You don't want employees to create their own account. – bojeil Sep 06 '19 at 07:53
  • Understood. I have two kinds of users: those who sign-up via their organisation (OIDC and SAML) and those who login with their email/password. I don't want to allow sign-up for the latter, but sign-up has to be enabled for all otherwise the first group can't sign-in. – Thomas Sep 06 '19 at 09:12
  • I see. That makes sense. Currently I think you cannot do a combination of both. Try to file a feature request for this: https://cloud.google.com/support-hub/ or via [firebase support](https://firebase.google.com/support/). – bojeil Sep 06 '19 at 18:31
  • Another option is to upload your SAML and OIDC users to your Auth project ahead of time. Is this a feasible option? – bojeil Sep 06 '19 at 18:44
  • Unfortunately not. I was thinking maybe I could ask the SAML users to sign-up via another link that is backed by the Admin SDK for the first time and then sign-up for the Client SDK can be disabled, but it is too much work for something that is supposed to be out-sourced. – Thomas Sep 06 '19 at 19:09
  • I did file a feature request via Firebase support by the way. – Thomas Sep 06 '19 at 19:10
  • i just enable the login for **anonymous user**. it worked for me – shammi Dec 31 '19 at 10:21