You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Our application is built with email/password (+ optional MFA) auth. Our customers have long requested SSO login with Microsoft.
In the process of building out the UI and flows, the process will fail when MFA was enabled on the base (email auth) account.
Digging into the error, it fails because Firebase is requesting MFA re-authentication for a second time afterlinkWithPopup has completed.
To be clear I've already successfully re-authenticated with password/MFA before calling linkWithPopup.
In the Firebase auth UI I can see the account is already linked
If refresh the tab, the account will then be linked without needing to go through the second MFA flow.
Workaround
When the second MFA error is thrown, the page is hard refreshed so the user doesn't need to go through the MFA flow a second time.
Given that you can refresh to avoid the second MFA flow, this does not add any extra security
This works with no issue when using single factor authentication on the email auth account.
Steps and code to reproduce issue
Error
ConnectedAccounts.tsx:35 FirebaseError: Firebase: Error (auth/multi-factor-auth-required).
at createErrorInternal (assert.ts:146:1)
at _fail (assert.ts:65:1)
at _performSignInRequest (index.ts:252:1)
at async _logoutIfInvalidated (invalidation.ts:32:1)
at async _link$1 (link_unlink.ts:66:1)
at async PopupOperation.onAuthEvent (abstract_popup_redirect_operation.ts:103:1)
Code
import{EmailAuthProvider,getAuth,linkWithPopup,OAuthProvider,reauthenticateWithCredential,}from"firebase/auth";constmicrosoftProvider=newOAuthProvider("microsoft.com").setCustomParameters({prompt: "consent",// Force re-consent.});functionConnectedAccounts(){asyncfunctionreauthenticate(password: string){constcredential=EmailAuthProvider.credential(getAuth().currentUser!.email!,password);awaitreauthenticateWithCredential(getAuth().currentUser!,credential);}asyncfunctionlinkWithMicrosoft(){try{awaitlinkWithPopup(getAuth().currentUser!,microsoftProvider);}catch(error: any){if(error?.code==="auth/multi-factor-auth-required"){// Fore refresh page when this error gets hit by link being called// window.location.reload(); // WORKAROUND}else{throwerror;}}}constmyPassword="somePassword";asyncfunctionhandleLink(){try{awaitreauthenticate(myPassword);awaitlinkWithMicrosoft();}catch(error: any){if(error?.code==="auth/multi-factor-auth-required"){// trigger and complete MFA flow}else{throwerror;}}}return<buttononClick={handleLink}>Link to Microsoft</button>;}
Login by email
Call reauthenticate(password)
Complete Password and SMS MFA flow successfully
Popup tab appears
Consent to linking in Microsoft UI
Popup tab auto closes
Second "auth/multi-factor-auth-required" error is thrown in the link functions
At this point the account will show as linked in the Firebase auth UI
Refresh the page and the account will be linked correctly
The text was updated successfully, but these errors were encountered:
Operating System
Sonoma 14.5
Environment (if applicable)
Chrome Version 131
Firebase SDK Version
[email protected]
Firebase SDK Product(s)
Auth
Project Tooling
React App (18.2.0)
Webpack
Detailed Problem Description
Our application is built with email/password (+ optional MFA) auth. Our customers have long requested SSO login with Microsoft.
In the process of building out the UI and flows, the process will fail when MFA was enabled on the base (email auth) account.
Digging into the error, it fails because Firebase is requesting MFA re-authentication for a second time after
linkWithPopup
has completed.To be clear I've already successfully re-authenticated with password/MFA before calling
linkWithPopup
.Workaround
When the second MFA error is thrown, the page is hard refreshed so the user doesn't need to go through the MFA flow a second time.
Given that you can refresh to avoid the second MFA flow, this does not add any extra security
This works with no issue when using single factor authentication on the email auth account.
Steps and code to reproduce issue
Error
Code
reauthenticate(password)
"auth/multi-factor-auth-required"
error is thrown in thelink
functionsThe text was updated successfully, but these errors were encountered: