This error occurs when configuring an OIDC or OAuth provider in Firebase Authentication with invalid responseType settings. Either multiple response types are set to true, or none are enabled when exactly one must be.
This error appears when programmatically creating or updating an OAuth or OpenID Connect (OIDC) identity provider configuration using the Firebase Admin SDK or Identity Platform REST API. Firebase requires the `responseType` configuration object to have exactly one of its boolean properties (`code` or `idToken`) set to true. The `responseType` determines which OAuth 2.0 authorization flow Firebase will use with your identity provider. The `code` option enables the authorization code flow (recommended), while `idToken` enables the implicit grant flow. Firebase enforces that you must choose exactly one flow—you cannot enable both simultaneously, nor can you leave both disabled. This validation error typically occurs when using methods like `createProviderConfig()` or `updateProviderConfig()` in the Firebase Admin SDK, or when making direct REST API calls to configure SAML/OIDC providers.
Locate where you're creating or updating the OAuth/OIDC provider. Look for calls to createProviderConfig(), updateProviderConfig(), or REST API requests.
Check the responseType object structure:
// Incorrect - both are true
const config = {
responseType: {
code: true,
idToken: true // ❌ Only one can be true
}
};
// Incorrect - both are false
const config = {
responseType: {
code: false,
idToken: false // ❌ At least one must be true
}
};Choose the appropriate OAuth flow for your provider. Firebase recommends using the authorization code flow (code: true) when your provider supports it, as it's more secure.
For authorization code flow (recommended):
const config = {
displayName: 'My OIDC Provider',
enabled: true,
clientId: 'your-client-id',
issuer: 'https://your-provider.com',
responseType: {
code: true,
idToken: false
}
};
await admin.auth().createProviderConfig(config);For implicit flow (if provider doesn't support code flow):
const config = {
displayName: 'My OIDC Provider',
enabled: true,
clientId: 'your-client-id',
issuer: 'https://your-provider.com',
responseType: {
code: false,
idToken: true
}
};
await admin.auth().createProviderConfig(config);Ensure the responseType object is properly formatted with correct casing and boolean values:
// ✅ Correct
responseType: {
code: true,
idToken: false
}
// ❌ Wrong - incorrect casing
responseType: {
Code: true, // Should be lowercase 'code'
IdToken: false
}
// ❌ Wrong - string instead of boolean
responseType: {
code: "true", // Should be boolean true, not string
idToken: false
}After correcting the responseType configuration, test your provider setup:
const admin = require('firebase-admin');
async function createOIDCProvider() {
try {
const config = {
displayName: 'Corporate SSO',
enabled: true,
clientId: process.env.OIDC_CLIENT_ID,
issuer: 'https://auth.example.com',
responseType: {
code: true,
idToken: false
}
};
const provider = await admin.auth().createProviderConfig(config);
console.log('Provider created successfully:', provider.providerId);
} catch (error) {
console.error('Configuration error:', error.message);
}
}
createOIDCProvider();Verify the provider appears correctly in the Firebase Console under Authentication > Sign-in method.
Choosing the Right Response Type:
The authorization code flow (code: true) is more secure because it exchanges an authorization code for tokens on the server side, keeping sensitive credentials away from the browser. Use this when your identity provider supports it.
The implicit flow (idToken: true) returns tokens directly to the browser and is less secure. Only use this if your provider doesn't support the authorization code flow or for specific legacy integrations.
REST API Configuration:
If you're using the Identity Platform REST API directly, the responseType is configured in the request body:
{
"displayName": "My Provider",
"enabled": true,
"clientId": "client-id",
"issuer": "https://provider.com",
"responseType": {
"code": true,
"idToken": false
}
}Provider Type Differences:
This error applies to OIDC providers and some OAuth providers, but not to SAML providers which use a different configuration structure. SAML providers don't use the responseType configuration.
messaging/UNSPECIFIED_ERROR: No additional information available
How to fix "messaging/UNSPECIFIED_ERROR: No additional information available" in Firebase Cloud Messaging
App Check: reCAPTCHA Score Too Low
App Check reCAPTCHA Score Too Low
storage/invalid-url: Invalid URL format for Cloud Storage reference
How to fix invalid URL format in Firebase Cloud Storage
auth/missing-uid: User ID identifier required
How to fix "auth/missing-uid: User ID identifier required" in Firebase
auth/invalid-argument: Invalid parameter passed to method
How to fix "auth/invalid-argument: Invalid parameter passed to method" in Firebase