This error occurs when configuring an OpenID Connect (OIDC) provider in Firebase Authentication without providing the required OAuth client secret.
This error indicates that your Firebase Authentication configuration for an OIDC provider is missing the OAuth client secret. Firebase requires this secret when you're using the authorization code flow for OIDC authentication, which is the recommended and more secure approach. When setting up OIDC providers in Firebase, you must provide three critical values: your client ID, client secret, and the provider's issuer URL. The client secret is a confidential string that your OIDC identity provider uses to verify ownership of the client ID. Without this secret, Firebase cannot complete the secure authentication flow with your OIDC provider. This error typically appears when adding a new OIDC provider in the Firebase Console or when calling `signInWithPopup()` or `signInWithRedirect()` with an OIDC provider that hasn't been properly configured.
Before configuring Firebase, you need to get the client secret from your OIDC identity provider (like Okta, Auth0, Azure AD, etc.).
1. Log into your OIDC provider's admin console
2. Navigate to your application or client registration
3. Locate the "Client Secret" or "Client Credentials" section
4. Copy the client secret value (you may need to generate a new one if it's not visible)
Keep this secret secure - treat it like a password.
Navigate to the Firebase Console and add or update your OIDC provider configuration:
1. Go to Firebase Console → Authentication → Sign-in method
2. Click Add new provider → OpenID Connect
3. Select Code flow (not implicit flow)
4. Fill in the required fields:
- Name: A descriptive name for this provider
- Client ID: From your OIDC provider
- Client Secret: Paste the secret you obtained in step 1
- Issuer URL: Your provider's issuer endpoint (e.g., https://accounts.google.com)
Click Save to apply the configuration.
Ensure your client code references the correct provider ID that Firebase generated:
import { getAuth, signInWithPopup, OAuthProvider } from 'firebase/auth';
const auth = getAuth();
// Use the provider ID from Firebase Console (e.g., "oidc.example-provider")
const provider = new OAuthProvider('oidc.example-provider');
signInWithPopup(auth, provider)
.then((result) => {
const credential = OAuthProvider.credentialFromResult(result);
const user = result.user;
console.log('Signed in:', user);
})
.catch((error) => {
console.error('Auth error:', error.code, error.message);
});The provider ID follows the pattern oidc.<your-provider-name> and is shown in the Firebase Console.
Verify that the OIDC authentication now works correctly:
import { getAuth, signInWithPopup, OAuthProvider } from 'firebase/auth';
const auth = getAuth();
const provider = new OAuthProvider('oidc.example-provider');
// Optional: Add scopes if needed
provider.addScope('email');
provider.addScope('profile');
// Optional: Add custom parameters
provider.setCustomParameters({
prompt: 'consent'
});
try {
const result = await signInWithPopup(auth, provider);
console.log('Authentication successful!');
console.log('User:', result.user);
console.log('Provider data:', result.providerId);
} catch (error: any) {
console.error('Auth failed:', error.code, error.message);
}If you still see errors, check the browser console for additional details.
Authorization Code Flow vs Implicit Flow
Firebase strongly recommends using the authorization code flow for OIDC authentication because it's more secure. The implicit flow doesn't require a client secret, but it's less secure and should be avoided when possible. If your OIDC provider is a public client (like some mobile SDKs) that doesn't support client secrets, you may need to use the implicit flow, but this is generally discouraged.
Public vs Confidential Clients
Some OIDC providers distinguish between public clients (like mobile apps or SPAs) and confidential clients (like server-side applications). Public clients typically don't use client secrets. If you're integrating with such a provider and they don't issue client secrets, you may need to check if Firebase supports your specific use case or consider using a different authentication method.
Rotating Client Secrets
For security best practices, periodically rotate your OAuth client secrets. When you do this, update the secret in both your OIDC provider's configuration and in Firebase Console to prevent authentication disruptions.
Environment-Specific Configuration
If you use multiple Firebase projects (development, staging, production), ensure each has its own OIDC provider configuration with the appropriate client secrets. Don't share secrets across environments.
Debugging Provider Configuration
If authentication still fails after configuring the client secret, verify:
- The issuer URL exactly matches your provider's OpenID configuration endpoint
- Your redirect URIs in the provider's configuration include Firebase's auth domain (https://<project-id>.firebaseapp.com/__/auth/handler)
- The client secret hasn't expired (some providers set expiration dates)
- Network requests to the issuer URL aren't blocked by CORS or firewalls
Callable Functions: INTERNAL - Unhandled exception
How to fix "Callable Functions: INTERNAL - Unhandled exception" in Firebase
auth/invalid-hash-algorithm: Hash algorithm doesn't match supported options
How to fix "auth/invalid-hash-algorithm: Hash algorithm doesn't match supported options" in Firebase
Hosting: CORS configuration not set up properly
How to fix CORS configuration in Firebase Hosting
auth/reserved-claims: Custom claims use reserved OIDC claim names
How to fix "reserved claims" error when setting custom claims in Firebase
Callable Functions: UNAUTHENTICATED - Invalid credentials
How to fix "UNAUTHENTICATED - Invalid credentials" in Firebase Callable Functions