Firebase phone auth android

Get Started with Firebase Authentication on Android

Connect your app to Firebase

Add Firebase Authentication to your app

By using the Firebase Android BoM, your app will always use compatible versions of the Firebase Android libraries.

(Alternative) Declare Firebase library dependencies without using the BoM

If you choose not to use the Firebase BoM, you must specify each Firebase library version in its dependency line.

Note that if you use multiple Firebase libraries in your app, we highly recommend using the BoM to manage library versions, which ensures that all versions are compatible.

Kotlin+KTX

By using the Firebase Android BoM, your app will always use compatible versions of the Firebase Android libraries.

(Alternative) Declare Firebase library dependencies without using the BoM

If you choose not to use the Firebase BoM, you must specify each Firebase library version in its dependency line.

Note that if you use multiple Firebase libraries in your app, we highly recommend using the BoM to manage library versions, which ensures that all versions are compatible.

To use an authentication provider, you need to enable it in the Firebase console. Go to the Sign-in Method page in the Firebase Authentication section to enable Email/Password sign-in and any other identity providers you want for your app.

(Optional) Prototype and test with Firebase Local Emulator Suite

Before talking about how your app authenticates users, let’s introduce a set of tools you can use to prototype and test Authentication functionality: Firebase Local Emulator Suite. If you’re deciding among authentication techniques and providers, trying out different data models with public and private data using Authentication and Firebase Security Rules, or prototyping sign-in UI designs, being able to work locally without deploying live services can be a great idea.

An Authentication emulator is part of the Local Emulator Suite, which enables your app to interact with emulated database content and config, as well as optionally your emulated project resources (functions, other databases, and security rules).

Using the Authentication emulator involves just a few steps:

1. Adding a line of code to your app’s test config to connect to the emulator.
2. From the root of your local project directory, running firebase emulators:start .
3. Using the Local Emulator Suite UI for interactive prototyping, or the Authentication emulator REST API for non-interactive testing.

Now let’s continue with how to authenticate users.

Источник

Authenticate with Firebase on Android using a Phone Number

You can use Firebase Authentication to sign in a user by sending an SMS message to the user’s phone. The user signs in using a one-time code contained in the SMS message.

The easiest way to add phone number sign-in to your app is to use FirebaseUI, which includes a drop-in sign-in widget that implements sign-in flows for phone number sign-in, as well as password-based and federated sign-in. This document describes how to implement a phone number sign-in flow using the Firebase SDK.

Before you begin

1. If you haven’t already, add Firebase to your Android project.
2. Using the Firebase Android BoM, declare the dependency for the Firebase Authentication Android library in your module (app-level) Gradle file (usually app/build.gradle ).

By using the Firebase Android BoM, your app will always use compatible versions of the Firebase Android libraries.

(Alternative) Declare Firebase library dependencies without using the BoM

If you choose not to use the Firebase BoM, you must specify each Firebase library version in its dependency line.

Note that if you use multiple Firebase libraries in your app, we highly recommend using the BoM to manage library versions, which ensures that all versions are compatible.

Kotlin+KTX

By using the Firebase Android BoM, your app will always use compatible versions of the Firebase Android libraries.

(Alternative) Declare Firebase library dependencies without using the BoM

If you choose not to use the Firebase BoM, you must specify each Firebase library version in its dependency line.

Note that if you use multiple Firebase libraries in your app, we highly recommend using the BoM to manage library versions, which ensures that all versions are compatible.

If you haven’t yet connected your app to your Firebase project, do so from the Firebase console.

If you haven’t already set your app’s SHA-1 hash in the Firebase console, do so. See Authenticating Your Client for information about finding your app’s SHA-1 hash.

Security concerns

Authentication using only a phone number, while convenient, is less secure than the other available methods, because possession of a phone number can be easily transferred between users. Also, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device’s phone number.

If you use phone number based sign-in in your app, you should offer it alongside more secure sign-in methods, and inform users of the security tradeoffs of using phone number sign-in.

Enable Phone Number sign-in for your Firebase project

To sign in users by SMS, you must first enable the Phone Number sign-in method for your Firebase project:

1. In the Firebase console, open the Authentication section.
2. On the Sign-in Method page, enable the Phone Number sign-in method.

Firebase’s phone number sign-in request quota is high enough that most apps won’t be affected. However, if you need to sign in a very high volume of users with phone authentication, you might need to upgrade your pricing plan. See the pricing page.

Enable app verification

To use phone number authentication, Firebase must be able to verify that phone number sign-in requests are coming from your app. There are two ways Firebase Authentication accomplishes this:

SafetyNet: If a user has a device with Google Play Services installed, and Firebase Authentication can verify the device as legitimate with Android SafetyNet, phone number sign-in can proceed.

To enable SafetyNet for use with Firebase Authentication:

1. In the Google Cloud Console, enable the Android DeviceCheck API for your project. The default Firebase API Key will be used, and needs to be allowed to access the DeviceCheck API.
2. If you haven’t yet specified your app’s SHA-256 fingerprint, do so from the Settings Page of the Firebase console. Refer to Authenticating Your Client for details on how to get your app’s SHA-256 fingerprint. SafetyNet has a default quota that is sufficient for most apps. See SafetyNet Quota Monitoring for more information.

reCAPTCHA verification: In the event that SafetyNet cannot be used, such as when the user does not have Google Play Services support, or when testing your app on an emulator, Firebase Authentication uses a reCAPTCHA verification to complete the phone sign-in flow. The reCAPTCHA challenge can often be completed without the user having to solve anything. Please note that this flow requires that a SHA-1 is associated with your application. The reCAPTCHA flow will only be triggered when SafetyNet is unavailable or your device does not pass suspicion checks. Nonetheless, you should ensure that both scenarios are working correctly.

Send a verification code to the user’s phone

To initiate phone number sign-in, present the user an interface that prompts them to type their phone number. Legal requirements vary, but as a best practice and to set expectations for your users, you should inform them that if they use phone sign-in, they might receive an SMS message for verification and standard rates apply.

Then, pass their phone number to the PhoneAuthProvider.verifyPhoneNumber method to request that Firebase verify the user’s phone number. For example:

Kotlin+KTX

The verifyPhoneNumber method is reentrant: if you call it multiple times, such as in an activity’s onStart method, the verifyPhoneNumber method will not send a second SMS unless the original request has timed out.

You can use this behavior to resume the phone number sign in process if your app closes before the user can sign in (for example, while the user is using their SMS app). After you call verifyPhoneNumber , set a flag that indicates verification is in progress. Then, save the flag in your Activity’s onSaveInstanceState method and restore the flag in onRestoreInstanceState . Finally, in your Activity’s onStart method, check if verification is already in progress, and if so, call verifyPhoneNumber again. Be sure to clear the flag when verification completes or fails (see Verification callbacks).

To easily handle screen rotation and other instances of Activity restarts, pass your Activity to the verifyPhoneNumber method. The callbacks will be auto-detached when the Activity stops, so you can freely write UI transition code in the callback methods.

The SMS message sent by Firebase can also be localized by specifying the auth language via the setLanguageCode method on your Auth instance.

Kotlin+KTX

When you call PhoneAuthProvider.verifyPhoneNumber , you must also provide an instance of OnVerificationStateChangedCallbacks , which contains implementations of the callback functions that handle the results of the request. For example:

Kotlin+KTX

Verification callbacks

In most apps, you implement the onVerificationCompleted , onVerificationFailed , and onCodeSent callbacks. You might also implement onCodeAutoRetrievalTimeOut , depending on your app’s requirements.

onVerificationCompleted(PhoneAuthCredential)

This method is called in two situations:

• Instant verification: in some cases the phone number can be instantly verified without needing to send or enter a verification code.
• Auto-retrieval: on some devices, Google Play services can automatically detect the incoming verification SMS and perform verification without user action. (This capability might be unavailable with some carriers.) This uses the SMS Retriever API, which includes an 11 character hash at the end of the SMS message.

In either case, the user’s phone number has been verified successfully, and you can use the PhoneAuthCredential object that’s passed to the callback to sign in the user.

onVerificationFailed(FirebaseException)

This method is called in response to an invalid verification request, such as a request that specifies an invalid phone number or verification code.

onCodeSent(String verificationId, PhoneAuthProvider.ForceResendingToken)

Optional. This method is called after the verification code has been sent by SMS to the provided phone number.

When this method is called, most apps display a UI that prompts the user to type the verification code from the SMS message. (At the same time, auto-verification might be proceeding in the background.) Then, after the user types the verification code, you can use the verification code and the verification ID that was passed to the method to create a PhoneAuthCredential object, which you can in turn use to sign in the user. However, some apps might wait until onCodeAutoRetrievalTimeOut is called before displaying the verification code UI (not recommended).

onCodeAutoRetrievalTimeOut(String verificationId)

Optional. This method is called after the timeout duration specified to verifyPhoneNumber has passed without onVerificationCompleted triggering first. On devices without SIM cards, this method is called immediately because SMS auto-retrieval isn’t possible.

Some apps block user input until the auto-verification period has timed out, and only then display a UI that prompts the user to type the verification code from the SMS message (not recommended).

Create a PhoneAuthCredential object

After the user enters the verification code that Firebase sent to the user’s phone, create a PhoneAuthCredential object, using the verification code and the verification ID that was passed to the onCodeSent or onCodeAutoRetrievalTimeOut callback. (When onVerificationCompleted is called, you get a PhoneAuthCredential object directly, so you can skip this step.)

To create the PhoneAuthCredential object, call PhoneAuthProvider.getCredential :

Kotlin+KTX

Sign in the user

After you get a PhoneAuthCredential object, whether in the onVerificationCompleted callback or by calling PhoneAuthProvider.getCredential , complete the sign-in flow by passing the PhoneAuthCredential object to FirebaseAuth.signInWithCredential :

Kotlin+KTX

Test with fictional phone numbers

You can set up fictional phone numbers for development via the Firebase console. Testing with fictional phone numbers provides these benefits:

• Test phone number authentication without consuming your usage quota.
• Test phone number authentication without sending an actual SMS message.
• Run consecutive tests with the same phone number without getting throttled. This minimizes the risk of rejection during App store review process if the reviewer happens to use the same phone number for testing.
• Test readily in development environments without any additional effort, such as the ability to develop in an iOS simulator or an Android emulator without Google Play Services.
• Write integration tests without being blocked by security checks normally applied on real phone numbers in a production environment.

Fictional phone numbers must meet these requirements:

1. Make sure you use phone numbers that are indeed fictional, and do not already exist. Firebase Authentication does not allow you to set existing phone numbers used by real users as test numbers. One option is to use 555 prefixed numbers as US test phone numbers, for example: +1 650-555-3434
2. Phone numbers have to be correctly formatted for length and other constraints. They will still go through the same validation as a real user’s phone number.
3. You can add up to 10 phone numbers for development.
4. Use test phone numbers/codes that are hard to guess and change those frequently.

Create fictional phone numbers and verification codes

1. In the Firebase console, open the Authentication section.
2. In the Sign in method tab, enable the Phone provider if you haven’t already.
3. Open the Phone numbers for testing accordion menu.
4. Provide the phone number you want to test, for example: +1 650-555-3434.
5. Provide the 6-digit verification code for that specific number, for example: 654321.
6. Add the number. If there’s a need, you can delete the phone number and its code by hovering over the corresponding row and clicking the trash icon.

Manual testing

You can directly start using a fictional phone number in your application. This allows you to perform manual testing during development stages without running into quota issues or throttling. You can also test directly from an iOS simulator or Android emulator without Google Play Services installed.

When you provide the fictional phone number and send the verification code, no actual SMS is sent. Instead, you need to provide the previously configured verification code to complete the sign in.

On sign-in completion, a Firebase user is created with that phone number. The user has the same behavior and properties as a real phone number user, and can access Realtime Database/Cloud Firestore and other services the same way. The ID token minted during this process has the same signature as a real phone number user.

Another option is to set a test role via custom claims on these users to differentiate them as fake users if you want to further restrict access.

To manually trigger the reCAPTCHA flow for testing, use the forceRecaptchaFlowForTesting() method.

Integration testing

In addition to manual testing, Firebase Authentication provides APIs to help write integration tests for phone auth testing. These APIs disable app verification by disabling the reCAPTCHA requirement in web and silent push notifications in iOS. This makes automation testing possible in these flows and easier to implement. In addition, they help provide the ability to test instant verification flows on Android.

On Android, call setAppVerificationDisabledForTesting() before the signInWithPhoneNumber call. This disables app verification automatically, allowing you to pass the phone number without manually solving it. Note that even though reCAPTCHA and/or SafetyNet are disabled, using a real phone number will still fail to complete sign in. Only fictional phone numbers can be used with this API.

Calling verifyPhoneNumber with a fictional number triggers the onCodeSent callback, in which you’ll need to provide the corresponding verification code. This allows testing in Android Emulators.

Kotlin+KTX

Additionally, you can test auto-retrieval flows in Android by setting the fictional number and its corresponding verification code for auto-retrieval by calling setAutoRetrievedSmsCodeForPhoneNumber .

When verifyPhoneNumber is called, it triggers onVerificationCompleted with the PhoneAuthCredential directly. This works only with fictional phone numbers.

Make sure this is disabled and no fictional phone numbers are hardcoded in your app when publishing your application to the Google Play store.

Kotlin+KTX

Next steps

After a user signs in for the first time, a new user account is created and linked to the credentials—that is, the user name and password, phone number, or auth provider information—the user signed in with. This new account is stored as part of your Firebase project, and can be used to identify a user across every app in your project, regardless of how the user signs in.

In your apps, you can get the user’s basic profile information from the FirebaseUser object. See Manage Users.

In your Firebase Realtime Database and Cloud Storage Security Rules, you can get the signed-in user’s unique user ID from the auth variable, and use it to control what data a user can access.

You can allow users to sign in to your app using multiple authentication providers by linking auth provider credentials to an existing user account.

To sign out a user, call signOut :

Kotlin+KTX

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Источник