docs: create migration guide for version 9.0.0 (#2185)

thatfiredev · thatfiredev · commit 8e513ca4bdcb · 2025-03-17T18:33:21.000Z
* bump version in Config.kt (9.0.0)

* docs: update README.md with version 9.0.0

* remove `-SNAPSHOT`

* docs: create migration guide for v9.0

* Revert -SNAPSHOT change

This should be done during release

* docs: replace Smart Lock with Credential Manager

Also removes silentSignIn
diff --git a/README.md b/README.md
@@ -48,16 +48,16 @@ libraries.
 ```groovy
 dependencies {
     // FirebaseUI for Firebase Realtime Database
-    implementation 'com.firebaseui:firebase-ui-database:8.0.2'
+    implementation 'com.firebaseui:firebase-ui-database:9.0.0'
 
     // FirebaseUI for Cloud Firestore
-    implementation 'com.firebaseui:firebase-ui-firestore:8.0.2'
+    implementation 'com.firebaseui:firebase-ui-firestore:9.0.0'
 
     // FirebaseUI for Firebase Auth
-    implementation 'com.firebaseui:firebase-ui-auth:8.0.2'
+    implementation 'com.firebaseui:firebase-ui-auth:9.0.0'
 
     // FirebaseUI for Cloud Storage
-    implementation 'com.firebaseui:firebase-ui-storage:8.0.2'
+    implementation 'com.firebaseui:firebase-ui-storage:9.0.0'
 }
 ```
 
@@ -71,6 +71,7 @@ After the project is synchronized, we're ready to start using Firebase functiona
 If you are using an old version of FirebaseUI and upgrading, please see the appropriate
 migration guide:
 
+* [Upgrade from 8.0.2 to 9.x.x](./docs/upgrade-to-9.0.md)
 * [Upgrade from 7.2.0 to 8.x.x](./docs/upgrade-to-8.0.md)
 * [Upgrade from 6.4.0 to 7.x.x](./docs/upgrade-to-7.0.md)
 * [Upgrade from 5.1.0 to 6.x.x](./docs/upgrade-to-6.0.md)
diff --git a/auth/README.md b/auth/README.md
@@ -13,7 +13,7 @@ providers such as Google Sign-In, and Facebook Login. It is built on top of
 
 The best practices embodied in FirebaseUI aim to maximize sign-in
 and sign-up conversion for your app. It integrates with
-[Smart Lock for Passwords](https://developers.google.com/identity/smartlock-passwords/android/)
+[Credential Manager](https://developer.android.com/identity/sign-in/credential-manager)
 to store and retrieve credentials, enabling automatic and single-tap sign-in to
 your app for returning users. It also handles tricky use cases like
 account recovery and account linking that are security sensitive and
@@ -38,7 +38,6 @@ and [Web](https://github.com/firebase/firebaseui-web/).
 1. [Usage instructions](#using-firebaseui-for-authentication)
    1. [AuthUI sign-in](#authui-sign-in)
    1. [Handling responses](#handling-the-sign-in-response)
-   1. [Silent sign-in](#silent-sign-in)
    1. [Sign out](#sign-out)
    1. [Account deletion](#deleting-accounts)
    1. [Upgrading Anonymous Users](#upgrading-anonymous-users)
@@ -65,7 +64,7 @@ Gradle, add the dependency:
 ```groovy
 dependencies {
     // ...
-    implementation 'com.firebaseui:firebase-ui-auth:8.0.2'
+    implementation 'com.firebaseui:firebase-ui-auth:9.0.0'
 
     // Required only if Facebook login support is required
     // Find the latest Facebook SDK releases here: https://github.com/facebook/facebook-android-sdk/blob/master/CHANGELOG.md
@@ -406,45 +405,19 @@ Intent signInIntent =
         .build();
 ```
 
-##### Smart Lock
+##### Credential Manager
 
-By default, FirebaseUI uses [Smart Lock for Passwords](https://developers.google.com/identity/smartlock-passwords/android/)
+By default, FirebaseUI uses [Credential Manager](https://developer.android.com/identity/sign-in/credential-manager)
 to store the user's credentials and automatically sign users into your app on subsequent attempts.
-Using Smart Lock is recommended to provide the best user experience, but in some cases you may want
-to disable Smart Lock for testing or development. To disable Smart Lock, you can use the
-`setIsSmartLockEnabled` method when building your sign-in Intent:
+Using Credential Manager is recommended to provide the best user experience, but in some cases you may want
+to disable Credential Manager for testing or development. To disable Credential Manager, you can use the
+`setCredentialManagerEnabled` method when building your sign-in Intent:
 
 ```java
 Intent signInIntent =
     AuthUI.getInstance()
         .createSignInIntentBuilder()
-        .setIsSmartLockEnabled(false)
-        .build();
-```
-
-###### Smart Lock hints
-
-If you'd like to keep Smart Lock's "hints" but disable the saving/retrieving of credentials, then
-you can use the two-argument version of `setIsSmartLockEnabled`:
-
-```java
-Intent signInIntent =
-    AuthUI.getInstance()
-        .createSignInIntentBuilder()
-        .setIsSmartLockEnabled(false, true)
-        .build();
-```
-
-###### Smart Lock in dev builds
-
-It is often desirable to disable Smart Lock in development but enable it in production. To achieve
-this, you can use the `BuildConfig.DEBUG` flag to control Smart Lock:
-
-```java
-Intent signInIntent =
-    AuthUI.getInstance()
-        .createSignInIntentBuilder()
-        .setIsSmartLockEnabled(!BuildConfig.DEBUG /* credentials */, true /* hints */)
+        .setCredentialManagerEnabled(false)
         .build();
 ```
 
@@ -603,48 +576,13 @@ if (metadata.getCreationTimestamp() == metadata.getLastSignInTimestamp()) {
 }
 ```
 
-### Silent sign-in
-
-If a user is not currently signed in, then a silent sign-in process can be started first before
-displaying any UI to provide a seamless experience. Silent sign-in uses saved Smart Lock credentials
-and returns a successful `Task` only if the user has been fully signed in with Firebase.
-
-Here's an example of how you could use silent sign-in paired with Firebase anonymous sign-in to get
-your users up and running as fast as possible:
-
-```java
-List<IdpConfig> providers = getSelectedProviders();
-AuthUI.getInstance().silentSignIn(this, providers)
-        .continueWithTask(this, new Continuation<AuthResult, Task<AuthResult>>() {
-    @Override
-    public Task<AuthResult> then(@NonNull Task<AuthResult> task) {
-        if (task.isSuccessful()) {
-            return task;
-        } else {
-            // Ignore any exceptions since we don't care about credential fetch errors.
-            return FirebaseAuth.getInstance().signInAnonymously();
-        }
-    }
-}).addOnCompleteListener(this, new OnCompleteListener<AuthResult>() {
-    @Override
-    public void onComplete(@NonNull Task<AuthResult> task) {
-        if (task.isSuccessful()) {
-            // Signed in! Start loading data
-        } else {
-            // Uh oh, show error message
-        }
-    }
-});
-```
-
 ### Sign out
 
 With the integrations provided by AuthUI, signing out a user is a multi-stage process:
 
 1. The user must be signed out of the FirebaseAuth instance.
-1. Smart Lock for Passwords must be instructed to disable automatic sign-in, in
-   order to prevent an automatic sign-in loop that prevents the user from
-   switching accounts.
+1. Credential Manager must be instructed to clear the current user credential state from
+   all credential providers.
 1. If the current user signed in using either Google or Facebook, the user must
    also be signed out using the associated API for that authentication method.
    This typically ensures that the user will not be automatically signed-in
@@ -677,7 +615,7 @@ if (v.getId() == R.id.sign_out) {
 With the integrations provided by FirebaseUI Auth, deleting a user is a multi-stage process:
 
 1. The user must be deleted from Firebase Auth.
-1. Smart Lock for Passwords must be told to delete any existing Credentials for the user, so
+1. Credential Manager must be told to delete any existing Credentials for the user, so
    that they are not automatically prompted to sign in with a saved credential in the future.
 
 This process is encapsulated by the `AuthUI.delete()` method, which returns a `Task` representing
diff --git a/buildSrc/src/main/kotlin/Config.kt b/buildSrc/src/main/kotlin/Config.kt
@@ -1,5 +1,5 @@
 object Config {
-    const val version = "8.0.2"
+    const val version = "9.0.0-SNAPSHOT"
     val submodules = listOf("auth", "common", "firestore", "database", "storage")
 
     private const val kotlinVersion = "2.1.0"
diff --git a/docs/upgrade-to-9.0.md b/docs/upgrade-to-9.0.md
@@ -0,0 +1,47 @@
+# Upgrading to FirebaseUI 9.0
+
+FirebaseUI version `9.0.0` has significant breaking API changes and also adopts new major versions
+of many critical dependencies. Below is a description of each breaking change.
+
+## All - Update to Firebase BoM 33
+
+FirebaseUI now depends on the Firebase SDK at BoM major version `33.9.0`. You should update your
+app to use the same major version to avoid possible compilation errors or crashes.
+
+For more information on this SDK release see the
+[Firebase Android SDK release notes](https://firebase.google.com/support/release-notes/android#bom_v33-9-0).
+
+Release Notes for other BoM versions with breaking changes:
+- [Firebase Android SDK BoM 32.0.0](https://firebase.google.com/support/release-notes/android#bom_v32-0-0)
+- [Firebase Android SDK BoM 31.0.0](https://firebase.google.com/support/release-notes/android#bom_v31-0-0)
+- [Firebase Android SDK BoM 30.0.0](https://firebase.google.com/support/release-notes/android#bom_v30-0-0)
+- [Firebase Android SDK BoM 29.0.0](https://firebase.google.com/support/release-notes/android#bom_v29-0-0)
+
+## Auth - Remove Smart Lock
+
+[Smart Lock for Passwords](https://developers.google.com/identity/smartlock-passwords/android/overview)
+, which was deprecated in 2022, is now removed from the Google Play Services Auth SDK
+(`com.google.android.gms:play-services-auth`).
+FirebaseUI Android has been updated to use [Credential Manager](https://developer.android.com/training/sign-in/passkeys)
+instead.
+
+Due to this change, some APIs have changed:
+
+- The `AuthUI#setIsSmartLockEnabled(boolean enableCredentials)` method has been replaced with the new
+ `setCredentialManagerEnabled(Boolean)` method.
+- The `AuthUI#setIsSmartLockEnabled(boolean enableCredentials, boolean enableHints)` method has been
+ removed with no replacement (for now).
+- The `AuthUI#silentSignIn()` method has been removed with no replacement.
+
+## Auth - (behavior change) new Email authentication flow
+
+Versions 8.x and older of FirebaseUI relied on methods like `fetchSignInForEmail`, which
+now fail with the introduction of
+[Email Enumeration Protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection).
+
+Version 9.0 removed those methods and now shows a different flow for email sign in and sign up.
+
+## Auth - Removed SafetyNet
+
+[Firebase Auth v22.0.0](https://firebase.google.com/support/release-notes/android#auth_v22-0-0)
+removed SafetyNet support for app verification during phone number authentication.
