I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

Just to make my initial comment a bit clearer:

Currently, the supportedAuthDomains order does not matter (as opposed to what's stated in the comment) - the returned domain will be determined by the order of response.authorizedDomains.

If response.authorizedDomains contains ["my.web.app", "my.firebaseapp.com"], then we would first look to see if my.web.app matched any of ["firebaseapp.com", "web.app"], which it does and then "my.web.app" will be used.

If the response order was different: ["my.firebaseapp.com", "my.web.app"], then the first match would be for my.firebaseapp.com.

And thus, contrary to the comment, it's not the order of supportedAuthDomains that matters, but the order of response.authorizedDomains that matters. And the latter is not controlled by the library, so that seems like an error - if indeed the order of supportedAuthDomains matters.

@rosalyntan Should the comment be fixed or the code updated to match the comment?

cc: @renkelvin

I think we should update the code to match the comment.

The code is updated in the release-11.0 branch: https://github.com/firebase/firebase-ios-sdk/blob/release-11.0/FirebaseAuth/Sources/Swift/Utilities/AuthWebUtils.swift#L117

Well, on line 130 and 131 the iteration of supportedAuthDomains is still nested in the iteration of the response domains, so the order or supportedAuthDomains still doesn't matter, does it?

Oops. Good catch, Morten! I'll reopen the issue and send a PR.