authentication: OAuth 2.0 hybrid authorization code grant flow

The OAuth 2.0 RFC describes the authorization code grant flow as follows:

OAuth 2.0 RFC

As can be seen, the authorization server assumes the responsibility of authenticating the user. What I'm planning is to get the Google Firebase service to authenticate the user as described in the following hybrid flow that I found:


The letters on the arrows correspond to the arrows in the original RFC.

There is a technical problem that I have yet to solve with regard to this hybrid flow at this time:

  • When Firebase has finished authenticating a user, you must redirect to the URI that was provided when configuring Firebase. There is no way to know at this time to dynamically build this redirect uri so you know which client has initiated this authorization request (ie, arrow A).

What this means is that the authorization server can not do the flow indicated by arrow C at this time.

To solve this, I would like to change the flow even more, but I am not sure if this will present any security problem and it is almost certain that the OAuth 2 framework will no longer follow.

Can anyone propose a way to integrate Firebase authentication more clearly into the OAuth2 standard authorization code grant flow so that all customer authorization requests are validated?