2

Background

I work on 2 different apps with common shared code, both used on the same project (using productFlavors in gradle file), but with different package names.

The problem

The apps are supposed to be able to login to Google account and fetch some information from it.

The first one works fine, but the second has issues logging-in, especially on release-variant.

Both are already published on the Play Store and have Firebase being used, so I can't perform operations that might damage how the apps work.

What I've found

I made the app write to logs to show the issue:

    override fun onActivityResult(requestCode: Int, resultCode: Int, data: Intent?) {
        val result = Auth.GoogleSignInApi.getSignInResultFromIntent(data)
        if (result?.isSuccess == true) {
          ...
        }
        else {
          Log.e("AppLog", "onActivityResult failure:${result?.status}")
        }

And indeed this is what I got:

onActivityResult failure:Status{statusCode=DEVELOPER_ERROR, resolution=null}

Searching the Internet and here on StackOverflow, it showed that I need to add the SHA-1 to the project, of both release and debug:

https://console.firebase.google.com/u/0/project/.../settings/general/...

Adding the SHA-1 of debug-variant works fine (though for some reason during login it had multiple steps instead of just one or two), but when I try to add the SHA-1 of release-variant, it seems identical to the SHA-1 of the other app (which has a different package). It shows me this message (via "project settings"->"general"):

An OAuth2 client already exists for this package name and SHA-1 in another project. You can omit the SHA-1 for now and read more about this situation and how to resolve it.

enter image description here

So I followed the link, and I tried to do as was written there:

First, find your existing project's OAuth 2.0 client ID. To do this:

  1. Go to the Credentials page of the Google Cloud console. If the project containing the OAuth 2.0 client ID doesn't open automatically, select it from the drop down menu in the upper right corner of the page.
  2. Under the OAuth 2.0 client IDs section, locate the client name containing the SHA-1 and package name you used for your Firebase project. If you're unsure which one is correct, click the name of the client to see the details.
  3. When you have located the correct client name, copy the full value in the Client ID column.

Next, whitelist this client ID for Google as a sign in provider. To do this:

  1. Go to the Firebase console and select your project.
  2. Select Auth from the menu on the left.
  3. Select the Sign in method tab.
  4. On the Sign in method page, click on Google in the Sign in providers card.
  5. Expand the Whitelist client IDs from external projects option.
  6. Paste your client ID from the Cloud console into the text field and click Add.

So I pasted each of them (from "https://console.developers.google.com/apis/credentials?project=..." into "https://console.firebase.google.com/u/0/project/.../authentication/providers" ) that I thought that should be there, and as it didn't work, I pasted even more, including of both apps.

enter image description here

Still didn't work.

I also tried to add SHA-256 instead, and even though it allowed me to do it, it didn't help either.

I tried to search for solutions on StackOverflow and on other places, but the questions don't seem to be related to the exact scenario I have, as here it's 2 different package names already (so there shouldn't be a problem), and the apps are already published (so I can't remove stuff from the websites).

The questions

The most important question is the first one. The rest are optional and only so that I could learn what's wrong and what's going on. I would really appreciate it to understand for next time how to handle it properly:

  1. How can I solve it for the second app, without causing any issue to either apps? I don't want to remove the account/project on the website of any of those apps.

  2. How come I can't add SHA-1 of an app of a different package name?

  3. It said to copy the "client ID" on the instructions, but it didn't say of which app. I guess it means of the app that works fine, right?

  4. Some solutions said that I could re-create the SHA-1 to have a new key, but I couldn't find how. How do I do this? Would it help? Wouldn't it affect the app that works fine, and I will have the same issue of same SHA-1 being used for both, again?

android developer
  • 114,585
  • 152
  • 739
  • 1,270
  • did u use the release SHA1 key? – Mahmoud Omara Dec 21 '20 at 09:09
  • @MahmoudOmara Not sure what is your question. The SHA-1 can't be added to the problematic app, if that's what you are asking. The website doesn't let me. It shows the error. – android developer Dec 21 '20 at 09:23
  • when you open the firebase settings for the app, you will see at the bottom of the screen "Add fingerprint", you need to add both debug and release SHA1 keys there for each app, and since you have 2 different package names, you should have 2 apps on that firebase project – Mahmoud Omara Dec 21 '20 at 09:30
  • the release sha1 must be acquired from the release keystore for each app, some people use the same key for all flavors in the project which i think is ur own case – Mahmoud Omara Dec 21 '20 at 09:31
  • @MahmoudOmara That's the issue. I can't add the SHA1 of release. Only of debug. The SHA1 that is generated by the IDE shows the same one of release for both apps for some reason, and different one for debug. As I wrote the apps have different package names. – android developer Dec 21 '20 at 09:42
  • could u show me the terminal command used to get that release sha1? – Mahmoud Omara Dec 21 '20 at 09:56
  • @MahmoudOmara I used the one of the IDE, meaning "signing report". It generates SHA1 for all components, including both apps and both debug&release. Also tried now the command `./keytool -list -v -keystore PATH_TO_KEYSTORE_FILE -alias ALIAS -storepass STORE_PASS -keypass KEY_PASS` , where the uppercase words are replaced. Both methods produced the same SHA-1 for release, to be used by both apps. – android developer Dec 21 '20 at 10:06
  • 1
    exactly my point, both apps have different package names that is true, but u are using 1 keystore for both of them, and the SHA1 is related to the keystore and not the bundle name, meaning this 1 SHA1 will work for both apps – Mahmoud Omara Dec 21 '20 at 10:31
  • @MahmoudOmara But it's not working for both. Only to one of them. And indeed when I run the second app on release, it fails to login. That's the issue. I can't add the SHA1 to the website either. Do you know of a solution for this? – android developer Dec 21 '20 at 10:34
  • sadly i don't, this shouldn't be an issue, i actually just did something like this a couple of months ago, never had this issue – Mahmoud Omara Dec 21 '20 at 10:59
  • So are both SHA-1 of the release-variant identical for both projects? When you generate the SHA-1, you should use different keystore.jks files for each project, and not the same as also @MahmoudOmara mentioned in his comment. – Alex Mamo Dec 21 '20 at 11:01
  • i'm guessing he has a single project with different flavors, you don't need multiple keystores for that – Mahmoud Omara Dec 21 '20 at 11:04
  • @AlexMamo It's a single Android Studio project, and there are 2 productFlavors for it. Each is a different app, different package name, similar code, and use the same keystore file. – android developer Dec 21 '20 at 11:05
  • @MahmoudOmara You are saying you have a similar scenario, and you didn't have this issue? But do you have the SHA1 written on both apps (on the website) ? – android developer Dec 21 '20 at 12:05
  • i did develop an app with multiple flavors and all flavors used he same SHA1 keys on debug and the other on release, the issue you are seeing right now has never occured to me sadly – Mahmoud Omara Dec 21 '20 at 12:34
  • @MahmoudOmara Same SHA1 for debug, but not for release? Are you sure? For me it's the opposite: I get same SHA1 for release, but not for debug. – android developer Dec 21 '20 at 12:36
  • no i mean same sha1 for debug on both bundle names, and then same release for both bundle names as well, in total 2x SHA1 1x for debug and 1x for release, doesnt matter u have 1 flavor or 100million – Mahmoud Omara Dec 21 '20 at 12:45
  • @MahmoudOmara So you succeeded using the same SHA1 values of debug&release for both of them. Even weirder, then, that I see this issue. – android developer Dec 21 '20 at 15:17
  • i had a different problem with my back-end checking the users on both apps against 1 firebase project, but that was about it, never got this issue that u have now, the other we had to make sure that the back-end can differentiate users from different projects/environments and not mix it all up – Mahmoud Omara Dec 21 '20 at 16:08

4 Answers4

1

This is a little late...I guess this has been solved for you but for others who might need a solution...

All your steps described above are correct. You missed one last step. Take the Oauth Client id that you copied from the google console (and whitelisted in Firebase Sign In) and add it to the google-services.json file you downloaded from Firebase. This last step is very important!! In the json file, find the oauth section...

"oauth_client": [ { "client_id": "PASTE Oauth client ID here", "client_type": 3 } ],

Rebuild app.

Dharman
  • 30,962
  • 25
  • 85
  • 135
Nikhil Sohoni
  • 145
  • 4
0

Try adding the SHA-1 key to Firebase which you get while uploading the app to Google Play Console. You can get this key while navigating to App signing info at Play Console.

Dheeraj Kotwani
  • 91
  • 1
  • 3
0

These days it's probably preferred to add SHA-256 instead of SHA-1 key fingerprints.

Play App Signing "might" solve the issue in terms of not adding duplicate release keys, no matter the upload keys. Closely check the documentation, if not the enrollment would mess up the release by changing keys; so far I have not attempted to migrate an already published app to Play App Signing, but if this would not break anything, this might be a suitable way out of the situation.

Another option would be to click "Add App" and then add the other one package-name (in case both flavors would use the same one Firebase project). I have configured this for debug/release builds, which also have different package names (it doesn't really matter how they were build).

In case you have to mess around, publish one more release, which features kind of "maintenance mode", to be switched on/off with Firebase Remote Config, in order to prevent data-changes.

Martin Zeitler
  • 1
  • 19
  • 155
  • 216
  • Sadly I already tried SHA-256 (as I wrote). I tried again now. Still didn't help. Did you have such an issue? – android developer Dec 30 '20 at 11:23
  • I think the issue you're facing only arises, when trying to add identical key to different Firebase projects, but not when adding identical keys to different apps within the same Firebase project. Even if not wanting to, you'f probably have to restructure and then make a new release with a slightly different package name, for one of them... in terms of merging them into a single project. Enrolling for Play App Signing might be the only option available to change the release keys, but I'm not certain about that. Generally speaking, the Firebase console and Play console need to be in-sync. – Martin Zeitler Dec 30 '20 at 18:23
  • Filing a ticket with Firebase support might be an option to get a certain answer. This might be a whole lot better than experimenting around and possibly messing up one of the apps. You could eventually also move from flavors to DFM, so that a single app could provide that. – Martin Zeitler Dec 30 '20 at 18:37
  • "How come I can't add SHA-1 of an app of a different package name" is still possible with "Add App" ...but only while it's not yet been added to a different Firebase project. If you want to restructure, you have to restructure - and sometimes one has to submit to the system, like it whether or not. – Martin Zeitler Dec 30 '20 at 18:51
  • The 2 apps are inside the same project, as some of the code is very similar between them. How can I contact Firebase/Google about this issue? – android developer Dec 31 '20 at 14:07
  • @androiddeveloper One can also request key upgrades: https://support.google.com/googleplay/android-developer/answer/9842756#upgrade – Martin Zeitler Jan 31 '21 at 12:29
  • Not sure if this can be a good solution. Isn't it dangerous? Won't it cause issues for existing users? – android developer Jan 31 '21 at 12:38
  • @androiddeveloper It probably depends what the actual reason to do so is... since one can set up multiple package names in Firebase and they can use the same debug, upload and app-signing keys. The problem likely arises when trying to add the same key to another project. Therefore consolidation might the only way, I mean migrating one of them over. – Martin Zeitler Jan 31 '21 at 13:13
  • I don't think it's worth the risk of causing issues on the good app. – android developer Feb 02 '21 at 00:10
  • Nope. SHA1 is used by Firebase Auth. SHA256 is used by Firebase Dynamic Links. – tudorprodan Jul 13 '22 at 07:04
0

The SHA-1 belongs to the certificate you're using to sign the APK, doesn't belong to any individual app.

The problem seems to be that you have have multiple projects with the same Package+SHA added. Check https://console.firebase.google.com/ here you'll be able to see all the projects under your account.

jasxir
  • 808
  • 9
  • 18