Auth uses soon to be deprecated apis.google.com/js/api.js

[nahuelmap]

• Operating System version: PopOS 22.04
• Browser version: Chrome 109.0.5414.74
• Firebase SDK version: 9.17.1
• Firebase Product: Auth

Google will be deprecating his "Google Sign-In Javascript Platform library" to his new "Identity Services for the Web" on March 31, 2023, as stated in:

https://developers.google.com/identity/gsi/web/guides/migration
https://developers.google.com/identity/oauth2/web/guides/migration-to-gis

The first link says apis.google.com/js/api.js is going to be deprecated. This library seems to be used by firebase-sdk-js, see:

firebase-js-sdk/packages/auth/src/platform_browser/iframe/gapi.ts

Line 107 in b6c231a

._loadJS(`https://apis.google.com/js/api.js?onload=${cbName}`)

So it seems firebase-sdk-js uses the old version and is not ready for the incoming deprecation (correct me if I'm wrong) . There are upgrade plans / an schedule for them in the horizon?

[prameshj]

Thanks for raising this! We use apis.google.com/js/api.js to load the iframe, but not for Google Sign In.

Only the Google Sign In functionality is deprecated. The full list of deprecated methods are here: https://developers.google.com/identity/oauth2/web/guides/migration-to-gis#library_quick_reference

[nahuelmap]

@prameshj Thanks for your reply. Notice that gapi.auth is also used, not only gapi.iframes as you stated:

firebase-js-sdk/packages/firestore/src/api/credentials.ts

Line 425 in 79df09b

return this.gapi!['auth']['getAuthHeaderValueForFirstParty']([]);

but it seems is a fallback option. Is gapi.auth really used or is a legacy code path never executed because an authTokenFactory is always present? If used, it will be upgraded? Note this is not gapi.auth2 but an even older gapi.auth api also implemented in api.js

[prameshj]

Thanks for pointing it out! cc @maneesht since this is on Firestore. I think since it is not mentioned in https://developers.google.com/identity/oauth2/web/guides/migration-to-gis#library_quick_reference, this will continue to work.

[nahuelmap]

The google migration documentation only mentions gapi.auth2 as a deprecated module, but I think is not safe to assume gapi.auth will not be also deprecated although it is not mentioned, because gapi.auth is a very old module already deprecated (but still present in api.js) by gapi.auth2.

[nahuelmap]

Hi @milaGGL any thoughts / news on this? You need help?

[keeth]

I got a notice emailed to me the other day:

One or more of your web applications uses the legacy Google Sign-In JavaScript library. Please migrate your project(s) to the new Google Identity Services SDK before March 31, 2023.

Does anyone know if this refers to the Firebase JS SDK? I don't think we use Google Sign-in directly anywhere, we only use it via Firebase Auth.

Is there a minimum version of the Firebase SDK that we need to upgrade to?

[milaGGL]

Hi @milaGGL any thoughts / news on this? You need help?

Hi @nahuelmap, thank you so much for offering help. It turns out one of our other firebase product will be effected by this deprecation, and we have alerted them on time, thanks to your ticket.

As for our JS SDK, we are working on the safe removal of the gapi.auth. I will keep the thread updated.

[milaGGL]

Hi @keeth, gapi auth in JS SDK is only used as a fallback option for first party authentication, and it should only effect our internal usage. Based on the Firebase JavaScript SDK Release Notes, there is no Firebase JS SDK upgrading required regarding this matter.

[keeth]

@milaGGL I don't see a reference to gapi in the release notes you mentioned, but I'll take your word for it!

[milaGGL]

@keeth, sorry for the confusion. I meant since there are no firebase release note on any products, stating that changes are made due to the gapi.auth deprecation, there is no upgrading required regarding this matter.

[nahuelmap]

Thanks for your work @milaGGL ! When we will get a release with this fix applied?

[milaGGL]

@nahuelmap, with pleasure. 😊
The PR is newly merged in and there is no exact date scheduled yet. I will update the thread once the release date is confirmed.
However, since the FirstPartyAuthCredentialsProvider is meant to be used for Google's internal authentication, this fix should not affect your app, unless you have intentionally used the first party credentials in your code with modifications.

[milaGGL]

The removal of FirstPartyAuthCredentialsProvider is released #7166. Please feel free to reopen this ticket if there is any issue related to this matter.

@nahuelmap, once again, thank you for bringing this to our attention.