sign_in_failed even though SHA1/package name is unique in Firebase console

476 views
Skip to first unread message

Andy Newman

unread,
Nov 28, 2023, 5:20:28 PM11/28/23
to Firebase Google Group
Greetings Firebase Community,

I have a Flutter application using Firebase Cloud Messaging. The application and cloud messaging works fine.

Recently, I have been trying to use the google_sign_in package for Flutter. Unfortunately, I keep getting 'sign_in_failed errors, ApiException: 10' when calling GoogleSignIn.signIn(GoogleSign.games()). Note that I do want to perform a Play Games sign-in, that's why I am using GoogleSign.games().

In the Firebase Console, I have one project for production and one project for debugging purposes only. Right now I'm using the latter. No SHA1 key is shared between the projects, I double checked (my production SHA1 is registered for the Production Firebase project, and the debug SHA1 is registered for the Development Firebase Project).

Nevertheless, in the Development project parameters, I keep having a warning sign next to my SHA-1 fingerprint, saying it is duplicated with another project. But it isn't.

Now, this SHA-1 fingerprint is also registered as an Identifier in the Google Cloud Console because I am considering using the Play Games SDK instead of the Google Sign-In SDK.

Is Firebase unhappy because it finds the SHA-1 fingerprint there (Play Games project)? I'm so confused.

Thanks for your help.

Jen Harvey Hugg

unread,
Nov 28, 2023, 5:57:47 PM11/28/23
to fireba...@googlegroups.com
Hi, Andy!

Yep, that's probably the case: Firebase projects are Google Cloud projects with a little extra "Firebasey" configuration, so if you have an OAuth2 client with the same package name and SHA1 in a Google project, that would cause the error. I.e., the OAuth2 client currently exists in two Google Cloud projects, the one you use for Firebase and the one you use for Play Games. So, in this case, you'd need to remove it from one of the projects (assuming this would be from your Play Games project if you're not using it yet).

Check out An OAuth2 client... for a full discussion of the duplicate OAuth2 issue and Understand Firebase projects for a deep dive into the relationship between Firebase projects and Google cloud.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/4d409b70-4e42-423d-8347-d0a40c5eeb77n%40googlegroups.com.

Andy Newman

unread,
Nov 29, 2023, 7:45:21 PM11/29/23
to Firebase Google Group
Hi Jen,

- the Firebase project has an Android application that has a given package name and SHA1 certificate
- the Google Cloud project has an OAuth identifier with the same package name and SHA1 certificate
- the Google Cloud project also has an OAuth Consent Screen (not sure if this is used?)

So I do need to have the SHA1 certificate registered in two places, don't I?

I use the debug certificate in both cases for now (successfully retrieved using 'gradlew signingReport').

Jen Harvey Hugg

unread,
Nov 29, 2023, 8:57:18 PM11/29/23
to fireba...@googlegroups.com
Hi, Andy:

So the Firebase project is a Google project, if you have the same app name and SHA-1 in the Firebase (i.e., Google Cloud) project and your GCP project, it's technically in two Google Cloud projects and the app bundle name + SHA-1 must be unique across all Cloud projects. Now, you can have the same app bundle name in two different projects, but you can't use the same SHA-1 in combination with that app bundle name in both projects.

However, if you're just using this for Google Sign-in, you could retain the OAuth2 client in your Play-specific project, remove the SHA-1 fingerprint from the app in the Firebase project, and then safelist the Play project's OAuth2 client ID in your dev Firebase project (note that you wouldn't want to remove the fingerprint from an app in production). This blog post is from a while back, but the steps are still pretty much the same: https://firebase.blog/posts/2016/12/working-with-multiple-firebase-projects-in-an-android-app.

You can find the OAuth2 client ID on the Google Cloud console API Credentials page for your Play project under OAuth2 Client IDs. Locate the client name--it'll be named something like "Android client for your.bundle.name (auto created by Google Service." Click the Download icon on the far right and it'll pop up the client ID (it'll end in `apps.googleusercontent.com`). Copy that ID and paste it into the Firebase console via Authentication > Sign-in Providers > Google > Edit > Safelist Client IDs from External Clients and click Save. You'll also want to re-download your google-services.json file and add it to your app and hopefully that will do the trick!

You can find the full instructions for this @ I need to retain the OAuth client in a different project but want to share Google Sign-in (or the blog post--the UI has changed a bit, but the steps are the same!).

Reply all
Reply to author
Forward
0 new messages