Is there a way to not create a new user and only allow existing users to login with firebase_auth, google sign in?

Question

I would like my app to only authenticate previously logged in users and not create new users. I'm using flutter and Firebase Authentication. I'm using google as a sign in method.

Ive searched the internet for a solution with no such luck. All of the examples i see create new users in the process

void _signInWithGoogle() async {
  final GoogleSignInAccount googleUser = await _googleSignIn.signIn();
  final GoogleSignInAuthentication googleAuth =
      await googleUser.authentication;
  final AuthCredential credential = GoogleAuthProvider.getCredential(
    accessToken: googleAuth.accessToken,
    idToken: googleAuth.idToken,
  );
  final FirebaseUser user = await _auth.signInWithCredential(credential);

  assert(user.email != null);
  assert(user.displayName != null);
  assert(!user.isAnonymous);
  assert(await user.getIdToken() != null);

  final FirebaseUser currentUser = await _auth.currentUser();
  assert(user.uid == currentUser.uid);
  setState(() {
    if (user != null) {
      _success = true;
      _userID = user.uid;
      print(user.displayName);
      print(user.phoneNumber);
      print(user.email);
    } else {
      _success = false;
    }
  });
}

I expected this to fail when there was a new user trying to login. but this seems to create a user and then log him in.

Answer 1

Update (2023): nowadays it is actually possible to control who can sing-up or sign-in to your Firebase project through blocking Cloud Functions. So you could allow sign-in from the client-side SDK, but reject any user creation by throwing an error.

---

There is no way to prevent a user from signing in with Firebase Authentication. If the provider is enabled, users can sign in with that provider.

But them signing in does nothing more than prove their credentials. If I sign in to your app with a Google account, all it does is proving that I know the credentials of that Google account.

Whether you grant a user access to certain resources (known as authorization) is a completely separate process, and is up to your application. For example, if you're using the Firebase Realtime Database, or Cloud Firestore to store data, then you can control who can access this data with their server-side security rules. And in those security rules, you can ensure that only users you know have access to the data.

For example, see my answer here for how to limit access to the realtime database to users signing in with a verified email address from a specific domain: How do I lock down Firebase Database to any user from a specific (email) domain?

This question might also be handy, as it shows how to maintain a list of allowed email addresses that can access data in Cloud Firestore: Prevent user account creation with sign in by email in firestore.