From ecf0637f2245c98769cf6c7f64e6aec427238fff Mon Sep 17 00:00:00 2001
From: mansisampat <sammansi@google.com>
Date: Wed, 18 Jun 2025 14:21:13 +0530
Subject: [PATCH 1/9] Pass API Key as request param for Regional Auth requests

---
 .../auth/src/api/authentication/exchange_token.test.ts   | 8 ++++++--
 packages/auth/src/api/authentication/exchange_token.ts   | 2 +-
 packages/auth/src/api/index.test.ts                      | 2 ++
 packages/auth/src/api/index.ts                           | 9 +--------
 packages/auth/src/core/strategies/exchange_token.test.ts | 8 ++++++--
 packages/auth/src/core/strategies/exhange_token.ts       | 3 ++-
 packages/auth/test/helpers/api/helper.ts                 | 6 ++++--
 7 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/packages/auth/src/api/authentication/exchange_token.test.ts b/packages/auth/src/api/authentication/exchange_token.test.ts
index 6a3b1b366e8..f89e60f2b67 100644
--- a/packages/auth/src/api/authentication/exchange_token.test.ts
+++ b/packages/auth/src/api/authentication/exchange_token.test.ts
@@ -37,7 +37,8 @@ describe('api/authentication/exchange_token', () => {
   let regionalAuth: TestAuth;
   const request = {
     parent: 'test-parent',
-    token: 'custom-token'
+    // eslint-disable-next-line camelcase
+    id_token: 'custom-token'
   };
 
   beforeEach(async () => {
@@ -52,6 +53,7 @@ describe('api/authentication/exchange_token', () => {
     const mock = mockRegionalEndpointWithParent(
       RegionalEndpoint.EXCHANGE_TOKEN,
       'test-parent',
+      'test-api-key',
       { accessToken: 'outbound-token', expiresIn: '1000' }
     );
 
@@ -60,7 +62,8 @@ describe('api/authentication/exchange_token', () => {
     expect(response.expiresIn).equal('1000');
     expect(mock.calls[0].request).to.eql({
       parent: 'test-parent',
-      token: 'custom-token'
+      // eslint-disable-next-line camelcase
+      id_token: 'custom-token'
     });
     expect(mock.calls[0].method).to.eq('POST');
     expect(mock.calls[0].headers!.get(HttpHeader.CONTENT_TYPE)).to.eq(
@@ -79,6 +82,7 @@ describe('api/authentication/exchange_token', () => {
     const mock = mockRegionalEndpointWithParent(
       RegionalEndpoint.EXCHANGE_TOKEN,
       'test-parent',
+      'test-api-key',
       {
         error: {
           code: 400,
diff --git a/packages/auth/src/api/authentication/exchange_token.ts b/packages/auth/src/api/authentication/exchange_token.ts
index 9a073c8f61d..a385fc1699d 100644
--- a/packages/auth/src/api/authentication/exchange_token.ts
+++ b/packages/auth/src/api/authentication/exchange_token.ts
@@ -23,7 +23,7 @@ import { Auth } from '../../model/public_types';
 
 export interface ExchangeTokenRequest {
   parent: string;
-  token: string;
+  id_token: string;
 }
 
 export interface ExchangeTokenResponse {
diff --git a/packages/auth/src/api/index.test.ts b/packages/auth/src/api/index.test.ts
index 614956abb4e..f6726625e53 100644
--- a/packages/auth/src/api/index.test.ts
+++ b/packages/auth/src/api/index.test.ts
@@ -652,6 +652,7 @@ describe('api/_performRegionalApiRequest', () => {
       const mock = mockRegionalEndpointWithParent(
         RegionalEndpoint.EXCHANGE_TOKEN,
         'test-parent',
+        'test-api-key',
         serverResponse
       );
       const response = await _performRegionalApiRequest<
@@ -689,6 +690,7 @@ describe('api/_performRegionalApiRequest', () => {
       const mock = mockRegionalEndpointWithParent(
         RegionalEndpoint.EXCHANGE_TOKEN,
         'test-parent',
+        'test-api-key',
         serverResponse
       );
       await _performRegionalApiRequest<typeof request, typeof serverResponse>(
diff --git a/packages/auth/src/api/index.ts b/packages/auth/src/api/index.ts
index ec3c7662194..e89e278ad13 100644
--- a/packages/auth/src/api/index.ts
+++ b/packages/auth/src/api/index.ts
@@ -168,17 +168,10 @@ async function performApiRequest<T, V>(
       }
     }
 
-    let queryParamString: string;
-    if (isRegionalAuthInitialized(auth)) {
-      queryParamString = querystring({
-        ...params
-      }).slice(1);
-    } else {
-      queryParamString = querystring({
+    const queryParamString = querystring({
         key: auth.config.apiKey,
         ...params
       }).slice(1);
-    }
 
     const headers = await (auth as AuthInternal)._getAdditionalHeaders();
     headers[HttpHeader.CONTENT_TYPE] = 'application/json';
diff --git a/packages/auth/src/core/strategies/exchange_token.test.ts b/packages/auth/src/core/strategies/exchange_token.test.ts
index 25c13572e39..ab05e0985b1 100644
--- a/packages/auth/src/core/strategies/exchange_token.test.ts
+++ b/packages/auth/src/core/strategies/exchange_token.test.ts
@@ -52,6 +52,7 @@ describe('core/strategies/exchangeToken', () => {
     const mock = mockRegionalEndpointWithParent(
       RegionalEndpoint.EXCHANGE_TOKEN,
       'projects/test-project-id/locations/us/tenants/tenant-1/idpConfigs/idp-config',
+      'test-api-key',
       { accessToken: 'outbound-token', expiresIn: 10 }
     );
 
@@ -64,7 +65,8 @@ describe('core/strategies/exchangeToken', () => {
     expect(mock.calls[0].request).to.eql({
       parent:
         'projects/test-project-id/locations/us/tenants/tenant-1/idpConfigs/idp-config',
-      token: 'custom-token'
+      // eslint-disable-next-line camelcase
+      id_token: 'custom-token'
     });
     expect(mock.calls[0].method).to.eq('POST');
     expect(mock.calls[0].headers!.get(HttpHeader.CONTENT_TYPE)).to.eq(
@@ -87,6 +89,7 @@ describe('core/strategies/exchangeToken', () => {
     const mock = mockRegionalEndpointWithParent(
       RegionalEndpoint.EXCHANGE_TOKEN,
       'projects/test-project-id/locations/us/tenants/tenant-1/idpConfigs/idp-config',
+      'test-api-key',
       {
         error: {
           code: 400,
@@ -107,7 +110,8 @@ describe('core/strategies/exchangeToken', () => {
     expect(mock.calls[0].request).to.eql({
       parent:
         'projects/test-project-id/locations/us/tenants/tenant-1/idpConfigs/idp-config',
-      token: 'custom-token'
+      // eslint-disable-next-line camelcase
+      id_token: 'custom-token'
     });
     expect(mock.calls[0].method).to.eq('POST');
     expect(mock.calls[0].headers!.get(HttpHeader.CONTENT_TYPE)).to.eq(
diff --git a/packages/auth/src/core/strategies/exhange_token.ts b/packages/auth/src/core/strategies/exhange_token.ts
index 8787c3e96d9..afbdcd81bff 100644
--- a/packages/auth/src/core/strategies/exhange_token.ts
+++ b/packages/auth/src/core/strategies/exhange_token.ts
@@ -52,7 +52,8 @@ export async function exchangeToken(
   const authInternal = _castAuth(auth);
   const token = await getToken(authInternal, {
     parent: buildParent(auth, idpConfigId),
-    token: customToken
+    // eslint-disable-next-line camelcase
+    id_token: customToken
   });
   if (token) {
     await authInternal._updateFirebaseToken({
diff --git a/packages/auth/test/helpers/api/helper.ts b/packages/auth/test/helpers/api/helper.ts
index 1877371bf2e..1b072234765 100644
--- a/packages/auth/test/helpers/api/helper.ts
+++ b/packages/auth/test/helpers/api/helper.ts
@@ -59,10 +59,12 @@ export function mockEndpointWithParams(
 export function mockRegionalEndpointWithParent(
   endpoint: RegionalEndpoint,
   parent: string,
+  key: string,
   response: object,
   status = 200
 ): Route {
-  const url = `${TEST_SCHEME}://${TEST_HOST}${parent}${endpoint}`;
-  console.log('here ', url);
+  let url = `${TEST_SCHEME}://${TEST_HOST}${parent}${endpoint}`;
+  url += "?key=";
+  url += key; 
   return mock(url, response, status);
 }

From ae53b77557722a214ee0b790b3faf33eebca9f64 Mon Sep 17 00:00:00 2001
From: mansisampat <sammansi@google.com>
Date: Wed, 18 Jun 2025 14:31:49 +0530
Subject: [PATCH 2/9] Format

---
 packages/auth/src/api/index.ts           | 6 +++---
 packages/auth/test/helpers/api/helper.ts | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/packages/auth/src/api/index.ts b/packages/auth/src/api/index.ts
index e89e278ad13..fcf7bb13486 100644
--- a/packages/auth/src/api/index.ts
+++ b/packages/auth/src/api/index.ts
@@ -169,9 +169,9 @@ async function performApiRequest<T, V>(
     }
 
     const queryParamString = querystring({
-        key: auth.config.apiKey,
-        ...params
-      }).slice(1);
+      key: auth.config.apiKey,
+      ...params
+    }).slice(1);
 
     const headers = await (auth as AuthInternal)._getAdditionalHeaders();
     headers[HttpHeader.CONTENT_TYPE] = 'application/json';
diff --git a/packages/auth/test/helpers/api/helper.ts b/packages/auth/test/helpers/api/helper.ts
index 1b072234765..c1034d682d5 100644
--- a/packages/auth/test/helpers/api/helper.ts
+++ b/packages/auth/test/helpers/api/helper.ts
@@ -64,7 +64,7 @@ export function mockRegionalEndpointWithParent(
   status = 200
 ): Route {
   let url = `${TEST_SCHEME}://${TEST_HOST}${parent}${endpoint}`;
-  url += "?key=";
-  url += key; 
+  url += '?key=';
+  url += key;
   return mock(url, response, status);
 }

From bee6c1fcc7aab65f6a553eb65d76b8b811401791 Mon Sep 17 00:00:00 2001
From: mansisampat <sammansi@google.com>
Date: Wed, 18 Jun 2025 15:27:07 +0530
Subject: [PATCH 3/9] Update chrome version

---
 .github/workflows/test-changed-auth.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/test-changed-auth.yml b/.github/workflows/test-changed-auth.yml
index b72c7cd9e2d..af0f71e00ff 100644
--- a/.github/workflows/test-changed-auth.yml
+++ b/.github/workflows/test-changed-auth.yml
@@ -23,7 +23,7 @@ env:
   # the behavior to use the new URLs.
   CHROMEDRIVER_CDNURL: https://googlechromelabs.github.io/
   CHROMEDRIVER_CDNBINARIESURL: https://storage.googleapis.com/chrome-for-testing-public
-  CHROME_VALIDATED_VERSION: linux-120.0.6099.71
+  CHROME_VALIDATED_VERSION: linux-132.0.6834.110
   # Bump Node memory limit
   NODE_OPTIONS: "--max_old_space_size=4096"
 
@@ -119,4 +119,4 @@ jobs:
       - name: Run tests on changed packages
         run: yarn test:changed auth
         env:
-          BROWSERS: 'WebkitHeadless'
\ No newline at end of file
+          BROWSERS: 'WebkitHeadless'

From f46a70e0203dd5c1f55cd16ca9a4c57c8c9ef124 Mon Sep 17 00:00:00 2001
From: mansisampat <sammansi@google.com>
Date: Thu, 19 Jun 2025 10:21:53 +0530
Subject: [PATCH 4/9] Update chrome version

---
 .github/workflows/test-changed-auth.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test-changed-auth.yml b/.github/workflows/test-changed-auth.yml
index af0f71e00ff..da615bf4e98 100644
--- a/.github/workflows/test-changed-auth.yml
+++ b/.github/workflows/test-changed-auth.yml
@@ -23,7 +23,7 @@ env:
   # the behavior to use the new URLs.
   CHROMEDRIVER_CDNURL: https://googlechromelabs.github.io/
   CHROMEDRIVER_CDNBINARIESURL: https://storage.googleapis.com/chrome-for-testing-public
-  CHROME_VALIDATED_VERSION: linux-132.0.6834.110
+  CHROME_VALIDATED_VERSION: linux-linux-137.0.7151.70
   # Bump Node memory limit
   NODE_OPTIONS: "--max_old_space_size=4096"
 

From 7a0c1d01f09553ea69a156a675dc72753dddda3c Mon Sep 17 00:00:00 2001
From: mansisampat <sammansi@google.com>
Date: Thu, 19 Jun 2025 10:32:36 +0530
Subject: [PATCH 5/9] Update chrome version

---
 .github/workflows/test-changed-auth.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test-changed-auth.yml b/.github/workflows/test-changed-auth.yml
index da615bf4e98..2da69e1ee15 100644
--- a/.github/workflows/test-changed-auth.yml
+++ b/.github/workflows/test-changed-auth.yml
@@ -23,7 +23,7 @@ env:
   # the behavior to use the new URLs.
   CHROMEDRIVER_CDNURL: https://googlechromelabs.github.io/
   CHROMEDRIVER_CDNBINARIESURL: https://storage.googleapis.com/chrome-for-testing-public
-  CHROME_VALIDATED_VERSION: linux-linux-137.0.7151.70
+  CHROME_VALIDATED_VERSION: linux-linux-137.0.0.0
   # Bump Node memory limit
   NODE_OPTIONS: "--max_old_space_size=4096"
 

From aa9837728bf542938e24c73cce5317e498f22439 Mon Sep 17 00:00:00 2001
From: mansisampat <sammansi@google.com>
Date: Thu, 19 Jun 2025 10:39:11 +0530
Subject: [PATCH 6/9] Update chrome version

---
 .github/workflows/test-changed-auth.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test-changed-auth.yml b/.github/workflows/test-changed-auth.yml
index 2da69e1ee15..e9775c705a1 100644
--- a/.github/workflows/test-changed-auth.yml
+++ b/.github/workflows/test-changed-auth.yml
@@ -23,7 +23,7 @@ env:
   # the behavior to use the new URLs.
   CHROMEDRIVER_CDNURL: https://googlechromelabs.github.io/
   CHROMEDRIVER_CDNBINARIESURL: https://storage.googleapis.com/chrome-for-testing-public
-  CHROME_VALIDATED_VERSION: linux-linux-137.0.0.0
+  CHROME_VALIDATED_VERSION: linux-137.0.0.0
   # Bump Node memory limit
   NODE_OPTIONS: "--max_old_space_size=4096"
 

From 242d35db5f0c3f804e3a64b0bacdd265a3049217 Mon Sep 17 00:00:00 2001
From: mansisampat <sammansi@google.com>
Date: Thu, 19 Jun 2025 10:47:30 +0530
Subject: [PATCH 7/9] Update chrome version

---
 .github/workflows/test-all.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test-all.yml b/.github/workflows/test-all.yml
index dd74d2437e4..4857c666a04 100644
--- a/.github/workflows/test-all.yml
+++ b/.github/workflows/test-all.yml
@@ -23,7 +23,7 @@ env:
   # the behavior to use the new URLs.
   CHROMEDRIVER_CDNURL: https://googlechromelabs.github.io/
   CHROMEDRIVER_CDNBINARIESURL: https://storage.googleapis.com/chrome-for-testing-public
-  CHROME_VALIDATED_VERSION: linux-132.0.6834.110
+  CHROME_VALIDATED_VERSION: linux-137.0.0.0
   CHROME_VERSION_MISMATCH_MESSAGE: "The Chrome version doesn't match the previously validated version. Consider updating CHROME_VALIDATED_VERSION in the GitHub workflow if tests pass, or rollback the installed Chrome version if tests fail."
   artifactRetentionDays: 14
   # Bump Node memory limit

From 16653def801a851bd5383821a53cbe3ef45a65c8 Mon Sep 17 00:00:00 2001
From: mansisampat <sammansi@google.com>
Date: Thu, 19 Jun 2025 11:00:55 +0530
Subject: [PATCH 8/9] Update chrome version

---
 .github/workflows/test-changed-auth.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test-changed-auth.yml b/.github/workflows/test-changed-auth.yml
index e9775c705a1..84b0ef4adda 100644
--- a/.github/workflows/test-changed-auth.yml
+++ b/.github/workflows/test-changed-auth.yml
@@ -23,7 +23,7 @@ env:
   # the behavior to use the new URLs.
   CHROMEDRIVER_CDNURL: https://googlechromelabs.github.io/
   CHROMEDRIVER_CDNBINARIESURL: https://storage.googleapis.com/chrome-for-testing-public
-  CHROME_VALIDATED_VERSION: linux-137.0.0.0
+  CHROME_VALIDATED_VERSION: linux-137.0.7151.119
   # Bump Node memory limit
   NODE_OPTIONS: "--max_old_space_size=4096"
 

From f678526c52dd51eb0dbeee5004c34d85fbe3ab65 Mon Sep 17 00:00:00 2001
From: mansisampat <sammansi@google.com>
Date: Thu, 19 Jun 2025 16:55:39 +0530
Subject: [PATCH 9/9] BYO-CIAM Demo App Changes (#9106)

* BYO-CIAM Demo App Changes
---
 packages/auth/demo/public/index.html     | 17 +++++++++
 packages/auth/demo/src/index.js          | 45 +++++++++++++++++++++++-
 packages/auth/src/core/auth/auth_impl.ts |  2 +-
 3 files changed, 62 insertions(+), 2 deletions(-)

diff --git a/packages/auth/demo/public/index.html b/packages/auth/demo/public/index.html
index 78b14b8dd92..5201871271d 100644
--- a/packages/auth/demo/public/index.html
+++ b/packages/auth/demo/public/index.html
@@ -170,6 +170,13 @@
                 Action Code Settings
               </a>
             </li>
+            <li role="presentation">
+              <a href="#tab-byo-ciam-content"
+                 aria-controls="tab-byo-ciam-content"
+                 data-toggle="tab" role="tab">
+                BYO-CIAM methods
+              </a>
+            </li>
             <li role="presentation" class="visible-xs">
               <a href="#logs-section"
                  aria-controls="logs-section"
@@ -844,6 +851,16 @@
                         id="action-code-settings-reset">Reset</button>
               </form>
             </div>
+            <div class="tab-pane" id="tab-byo-ciam-content">
+              <h2>Sign in with your CIAM token</h2>
+              <input type="text" id="byo-ciam-token"
+                     class="form-control" placeholder="Enter CIAM token" />
+              <button class="btn btn-block btn-primary"
+                  id="exchange-token">
+                Exchange Token
+              </button>
+              <pre id="byo-ciam-result"></pre>
+            </div>
             <div class="tab-pane" id="logs-section">
               <pre class="well logs"></pre>
               <button class="btn btn-xs btn-default pull-right clear-logs">
diff --git a/packages/auth/demo/src/index.js b/packages/auth/demo/src/index.js
index 876a345671a..52b79662fd7 100644
--- a/packages/auth/demo/src/index.js
+++ b/packages/auth/demo/src/index.js
@@ -74,7 +74,8 @@ import {
   connectAuthEmulator,
   initializeRecaptchaConfig,
   validatePassword,
-  revokeAccessToken
+  revokeAccessToken,
+  exchangeToken
 } from '@firebase/auth';
 
 import { config } from './config';
@@ -95,6 +96,7 @@ const AUTH_EMULATOR_URL = 'http://localhost:9099';
 
 let app = null;
 let auth = null;
+let regionalAuth = null;
 let currentTab = null;
 let lastUser = null;
 let applicationVerifier = null;
@@ -1506,6 +1508,32 @@ function onFinalizeSignInWithTotpMultiFactor(event) {
   }, onAuthError);
 }
 
+async function exchangeCIAMToken(token) {
+  const firebaseToken = await exchangeToken(
+    regaionalAuth,
+    (idpConfigId = 'Bar-e2e-idpconfig-002'),
+    token
+  );
+  return firebaseToken;
+}
+
+function onExchangeToken(event) {
+  event.preventDefault();
+  const byoCiamInput = document.getElementById('byo-ciam-token');
+  const byoCiamResult = document.getElementById('byo-ciam-result');
+
+  byoCiamResult.textContent = 'Exchanging token...';
+
+  exchangeCIAMToken(byoCiamInput.value)
+    .then(response => {
+      byoCiamResult.textContent = response.accessToken;
+      console.log('Token:', response);
+    })
+    .catch(error => {
+      console.error('Error exchanging token:', error);
+    });
+}
+
 /**
  * Adds a new row to insert an OAuth custom parameter key/value pair.
  * @param {!jQuery.Event} _event The jQuery event object.
@@ -2051,6 +2079,18 @@ function initApp() {
     connectAuthEmulator(auth, AUTH_EMULATOR_URL);
   }
 
+  let tenantConfig = {
+    'location': 'global',
+    'tenantId': 'Foo-e2e-tenant-001'
+  };
+  const regionalApp = initializeApp(config, `${auth.name}-rgcip`);
+
+  regionalAuth = initializeAuth(regionalApp, {
+    persistence: inMemoryPersistence,
+    popupRedirectResolver: browserPopupRedirectResolver,
+    tenantConfig: tenantConfig
+  });
+
   tempApp = initializeApp(
     {
       apiKey: config.apiKey,
@@ -2391,6 +2431,9 @@ function initApp() {
   $('#enroll-mfa-totp-finalize').click(onFinalizeEnrollWithTotpMultiFactor);
   // Sets tenant for the current auth instance
   $('#set-tenant-btn').click(onSetTenantIdClick);
+
+  // Performs Exchange Token
+  $('#exchange-token').click(onExchangeToken);
 }
 
 $(initApp);
diff --git a/packages/auth/src/core/auth/auth_impl.ts b/packages/auth/src/core/auth/auth_impl.ts
index 2651fe43af9..20df2390774 100644
--- a/packages/auth/src/core/auth/auth_impl.ts
+++ b/packages/auth/src/core/auth/auth_impl.ts
@@ -95,7 +95,7 @@ export const enum DefaultConfig {
   API_HOST = 'identitytoolkit.googleapis.com',
   API_SCHEME = 'https',
   // TODO(sammansi): Update the endpoint before BYO-CIAM Private Preview Release.
-  REGIONAL_API_HOST = 'identityplatform.googleapis.com/v2alpha/'
+  REGIONAL_API_HOST = 'autopush-identityplatform.sandbox.googleapis.com/v2alpha/'
 }
 
 export class AuthImpl implements AuthInternal, _FirebaseService {