firebase-ios-sdk icon indicating copy to clipboard operation
firebase-ios-sdk copied to clipboard
verified publisher icon firebase

Error 17094: Nonce mismatch despite nonces matching perfectly in Apple Sign-In

Open niyazovdaulet opened this issue 2 weeks ago • 2 comments

Description

Expected Behavior When a user signs in with Apple, Firebase should successfully authenticate the user after verifying that the nonce in the Apple ID token matches the SHA256 hash of the raw nonce passed to Firebase.

Actual Behavior Firebase rejects the authentication with error 17094 (ERROR_MISSING_OR_INVALID_NONCE), claiming that "The nonce in ID Token does not match the SHA256 hash of the raw nonce in the request."

However, our detailed logging shows that:

  • The nonce hash we compute matches the nonce in Apple's ID token perfectly
  • The raw nonce is correctly passed to Firebase (not the hashed version)
  • All hash computations are correct and verified multiple times

Evidence Our logs clearly demonstrate that the nonces match:

🍎 [AppleSignInResult] 🔍 NONCE IN TOKEN (from Apple): Hho+9ABBJ8flkVUQIGEuCrKwLZqVT75ipZMK/9ReN3o=
🍎 [AppleSignInResult] 🔍 NONCE WE SENT (to Apple): Hho+9ABBJ8flkVUQIGEuCrKwLZqVT75ipZMK/9ReN3o=
🍎 [AppleSignInResult] 🔍 Do they match? true
🍎 [AppleSignInResult] Hashes match: true

Yet Firebase still rejects with:

Error Domain=FIRAuthErrorDomain Code=17094 "The nonce in ID Token "Hho+9ABBJ8flkVUQIGEuCrKwLZqVT75ipZMK/9ReN3o=" does not match the SHA256 hash of the raw nonce "6G_0cA0JElSPGVT1.vZJr9dSfenY1AZB" in the request."

This appears to be a bug in Firebase SDK where it's incorrectly computing or comparing the nonce hash, or there's an issue with how the nonce string is being processed internally.

Image Image Image Image Image Image

Reproducing the issue

Steps to Reproduce

  1. Configure Apple Sign-In in Firebase Console with:
    • Services ID: com.daukas.anotherlife.signin
    • Team ID: UN7Z6PG82D
    • Key ID: 4AVW7W7MJ6 (or any valid Key ID)
    • Private Key: Valid .p8 file contents
  2. Run the app on a real iOS device
  3. Tap "Sign in with Apple"
  4. Complete Apple authentication
  5. Observe error 17094 despite nonces matching

Minimal Reproducible Example

See code implementation below. The issue occurs consistently on every sign-in attempt.

Firebase SDK Version

12.6.0

Xcode Version

15.3

Installation Method

Swift Package Manager

Firebase Product(s)

All

Targeted Platforms

iOS

Relevant Log Output

[Firebase/Crashlytics] Version 12.6.0

🍎 [SignInWithApple] Starting Apple Sign-In flow...
🍎 [SignInWithApple] Cleared previous nonce and hash
🍎 [SignInWithApple] Generated raw nonce: 6G_0cA0JElSPGVT1.vZJr9dSfenY1AZB
🍎 [SignInWithApple] Raw nonce length: 32 characters
🍎 [SignInWithApple] Raw nonce bytes (UTF-8): 32 bytes
🍎 [SignInWithApple] Computed nonce hash (base64): Hho+9ABBJ8flkVUQIGEuCrKwLZqVT75ipZMK/9ReN3o=
🍎 [SignInWithApple] Nonce hash length: 44 characters
🍎 [SignInWithApple] Computed nonce hash (hex): 1e1a3ef4004127c7e591551020612e0ab2b02d9a954fbe62a5930affd45e377a
🍎 [SignInWithApple] Hex hash length: 64 characters
🍎 [SignInWithApple] Nonce hash is valid base64, decoded to 32 bytes
🍎 [SignInWithApple] Set request.nonce to: Hho+9ABBJ8flkVUQIGEuCrKwLZqVT75ipZMK/9ReN3o=
🍎 [SignInWithApple] Request scopes: ["full_name", "email"]
🍎 [SignInWithApple] Presenting authorization controller...

🍎 [ASAuthorizationDelegate] ✅ Authorization completed successfully
🍎 [AppleSignInResult] Received authorization result
🍎 [AppleSignInResult] ✅ Successfully got Apple ID credential
🍎 [AppleSignInResult] User ID: 000982.83267ae015454897b6ce6aa0a169e017.1340
🍎 [AppleSignInResult] Email: not provided
🍎 [AppleSignInResult] Full name: 

🍎 [AppleSignInResult] Retrieved stored nonce: 6G_0cA0JElSPGVT1.vZJr9dSfenY1AZB
🍎 [AppleSignInResult] Stored nonce length: 32 characters
🍎 [AppleSignInResult] Stored nonce bytes (UTF-8): 32 bytes
🍎 [AppleSignInResult] Re-computed hash from stored nonce: Hho+9ABBJ8flkVUQIGEuCrKwLZqVT75ipZMK/9ReN3o=

🍎 [AppleSignInResult] ✅ Successfully decoded ID token
🍎 [AppleSignInResult] ID token string length: 904 characters
🍎 [AppleSignInResult] ID token preview: eyJraWQiOiJZUXJxZE1ENGJxIiwiYWxnIjoiUlMyNTYifQ.eyJ...

🍎 [AppleSignInResult] ID Token Key ID (kid): YQrqdMD4bq
🍎 [AppleSignInResult] Note: This is Apple's public key ID, not your private key ID
🍎 [AppleSignInResult] Firebase should automatically fetch Apple's public keys to verify the signature

🍎 [AppleSignInResult] ID Token payload decoded successfully
🍎 [AppleSignInResult] 🔍 NONCE IN TOKEN (from Apple): Hho+9ABBJ8flkVUQIGEuCrKwLZqVT75ipZMK/9ReN3o=
🍎 [AppleSignInResult] 🔍 NONCE WE SENT (to Apple): Hho+9ABBJ8flkVUQIGEuCrKwLZqVT75ipZMK/9ReN3o=
🍎 [AppleSignInResult] 🔍 Do they match? true

🍎 [AppleSignInResult] Using raw nonce for Firebase: 6G_0cA0JElSPGVT1.vZJr9dSfenY1AZB
🍎 [AppleSignInResult] Raw nonce for Firebase length: 32 characters
🍎 [AppleSignInResult] Creating credential with OAuthProvider.appleCredential...

🍎 [AppleSignInResult] Raw nonce for credential: '6G_0cA0JElSPGVT1.vZJr9dSfenY1AZB'
🍎 [AppleSignInResult] Raw nonce hex representation: 36475f306341304a456c5350475654312e765a4a7239645366656e5931415a42
🍎 [AppleSignInResult] Raw nonce UTF-8 byte count: 32

🍎 [AppleSignInResult] Verification hash: Hho+9ABBJ8flkVUQIGEuCrKwLZqVT75ipZMK/9ReN3o=
🍎 [AppleSignInResult] Expected hash (from token): Hho+9ABBJ8flkVUQIGEuCrKwLZqVT75ipZMK/9ReN3o=
🍎 [AppleSignInResult] Hashes match: true

🍎 [AppleSignInResult] Clean nonce hash: Hho+9ABBJ8flkVUQIGEuCrKwLZqVT75ipZMK/9ReN3o=
🍎 [AppleSignInResult] Original hash: Hho+9ABBJ8flkVUQIGEuCrKwLZqVT75ipZMK/9ReN3o=
🍎 [AppleSignInResult] Clean hash matches: true

🍎 [AppleSignInResult] ✅ Firebase credential created
🍎 [AppleSignInResult] Nonce passed to Firebase: '6G_0cA0JElSPGVT1.vZJr9dSfenY1AZB'
🍎 [AppleSignInResult] Nonce length: 32

🍎 [AppleSignInResult] Attempting to sign in with Firebase...

🍎 [AppleSignInResult] ❌ ERROR: Firebase sign-in failed
🍎 [AppleSignInResult] Error domain: FIRAuthErrorDomain
🍎 [AppleSignInResult] Error code: 17094
🍎 [AppleSignInResult] Error description: The nonce in ID Token "Hho+9ABBJ8flkVUQIGEuCrKwLZqVT75ipZMK/9ReN3o=" does not match the SHA256 hash of the raw nonce "6G_0cA0JElSPGVT1.vZJr9dSfenY1AZB" in the request.
🍎 [AppleSignInResult] Full error: Error Domain=FIRAuthErrorDomain Code=17094 "The nonce in ID Token "Hho+9ABBJ8flkVUQIGEuCrKwLZqVT75ipZMK/9ReN3o=" does not match the SHA256 hash of the raw nonce "6G_0cA0JElSPGVT1.vZJr9dSfenY1AZB" in the request." UserInfo={FIRAuthErrorUserInfoNameKey=ERROR_MISSING_OR_INVALID_NONCE, NSLocalizedDescription=The nonce in ID Token "Hho+9ABBJ8flkVUQIGEuCrKwLZqVT75ipZMK/9ReN3o=" does not match the SHA256 hash of the raw nonce "6G_0cA0JElSPGVT1.vZJr9dSfenY1AZB" in the request.}
🍎 [AppleSignInResult] Error userInfo: ["FIRAuthErrorUserInfoNameKey": "ERROR_MISSING_OR_INVALID_NONCE", "NSLocalizedDescription": "The nonce in ID Token \"Hho+9ABBJ8flkVUQIGEuCrKwLZqVT75ipZMK/9ReN3o=\" does not match the SHA256 hash of the raw nonce \"6G_0cA0JElSPGVT1.vZJr9dSfenY1AZB\" in the request."]

🍎 [AppleSignInResult] Sign-in process completed, isLoading set to false

If using Swift Package Manager, the project's Package.resolved

Expand Package.resolved snippet 
{
  "originHash" : "a1569f9895aa2be8e24832f98525d5da4eb90b5d158a82691c15b47eb72a13d7",
  "pins" : [
    {
      "identity" : "firebase-ios-sdk",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/firebase/firebase-ios-sdk.git",
      "state" : {
        "revision" : "087bb95235f676c1a37e928769a5b6645dcbd325",
        "version" : "12.6.0"
      }
    }
  ],
  "version" : 3
}

If using CocoaPods, the project's Podfile.lock

Expand Podfile.lock snippet 

Replace this line with the contents of your Podfile.lock!

niyazovdaulet avatar Dec 02 '25 20:12 niyazovdaulet

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

google-oss-bot avatar Dec 02 '25 20:12 google-oss-bot

Hi @niyazovdaulet, apologies for the trouble. I wasn't able to reproduce this in our auth sample app using my IDs/certs/keys.

Are you able to break this down into a minimal, reproducible example?

ncooke3 avatar Dec 03 '25 20:12 ncooke3

Hey @niyazovdaulet. We need more information to resolve this issue but there hasn't been an update in 5 weekdays. I'm marking the issue as stale and if there are no new updates in the next 5 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

google-oss-bot avatar Dec 10 '25 18:12 google-oss-bot

Since there haven't been any recent updates here, I am going to close this issue.

@niyazovdaulet if you're still experiencing this problem and want to continue the discussion just leave a comment here and we are happy to re-open this.

google-oss-bot avatar Dec 16 '25 18:12 google-oss-bot