bug: iOS Google Sign-In fails with Google Identity for iOS App Check enforcement (Error 400: invalid_request)

[suresh-kumar-18]

Plugin(s)

• Analytics
• App
• App Check
• Authentication
• Crashlytics
• Cloud Firestore
• Cloud Functions
• Cloud Messaging
• Cloud Storage
• Performance
• Remote Config

Version

@capacitor-firebase/app-check: 7.5.0 @capacitor-firebase/authentication: 7.5.0 @capacitor/ios: 8.0.0 firebase: 11.10.0

Platform(s)

• Android
• iOS
• Web

Current behavior

On iOS, Google Sign-In fails when Firebase App Check Google Identity for iOS enforcement is enabled.

During FirebaseAuthentication.signInWithGoogle(), the OAuth flow returns:
Error 400: invalid_request
"We cannot verify the authenticity of this app. Token failed."

The request appears to be blocked due to App Check validation failure.
Disabling App Check enforcement allows Google Sign-In to work as expected.

Expected behavior

Google Sign-In should succeed on iOS when App Check is enabled and properly configured,
or the plugin should provide a clear way to attach / forward a valid App Check token
during Google authentication.

At minimum, expected documentation or guidance on required configuration
for Google Identity + App Check on iOS.

Reproduction

Not able to share a public minimal reproduction repository due to project constraints. However, the issue is consistently reproducible with App Check enforcement enabled on iOS using @capacitor-firebase/authentication.

Steps to reproduce

1. Create an Ionic + Angular app using Capacitor.
2. Install:
   • @capacitor-firebase/app-check
   • @capacitor-firebase/authentication
3. Enable Firebase App Check in the Firebase Console (enforcement ON).
4. Configure Google Sign-In for iOS.
5. Call FirebaseAuthentication.signInWithGoogle() on iOS.
6. Observe authentication failure with Error 400: invalid_request.
7. Disable App Check enforcement → Google Sign-In works.

Other information

• Issue occurs only on iOS
• Android works as expected
• Error happens before backend token exchange
• Requests appear to come from unverified / outdated clients without valid App Check token
• Using native FirebaseAuthentication.signInWithGoogle()

Capacitor doctor

const result = await FirebaseAuthentication.signInWithGoogle();
Error 400: invalid_request
We cannot verify the authenticity of this app.

• Is App Check token automatically attached during Google Sign-In on iOS?
• Is additional configuration required for Google Identity + App Check?
• Is this a known limitation or missing integration?
  npx cap doctor

Before submitting

• I have read and followed the bug report guidelines.
• I have attached links to possibly related issues and discussions.
• I understand that incomplete issues (e.g. without reproduction) are closed.

[robingenz]

Thank you for reporting that. I'm not sure if we will find time in the next few days to look into this but feel free to create a PR if you find a solution.

[suresh-kumar-18]

Gentle reminder: Have you had a chance to look into and resolve the issue mentioned above?

[robingenz]

Unfortunately not. We have a lot of issues in our backlog. However, feel free to submit a PR and we will review it.

[suresh-kumar-18]

Hi Everyone,
Have you had a chance to look into and resolve the issue mentioned above?

[robingenz]

No, it's still open for contribution.