firebase-tools icon indicating copy to clipboard operation
firebase-tools copied to clipboard

Published 20 hours ago verified publisher icon firebase

firebase auth:emulators have different json data additionalUserInfo profile at production

Open rymesaint opened this issue 3 years ago • 2 comments

[REQUIRED] Environment info

firebase-tools: 11.3.0

Platform: macOS

[REQUIRED] Test case

Login using emulator Login using firebase auth production

[REQUIRED] Steps to reproduce

  • Login via Google Account

  • Get Return AdditionalUserInfo > Profile (JSON)

[REQUIRED] Expected behavior

{at_hash: g-F0nYiggy_hbu8HhTKlPw, exp: 1658240233, azp: 143834371075-h8jqsht30aa13mtdct3tv0q5pp9tf4tn.apps.googleusercontent.com, nonce: GskHkFD0RDzqRhqreHGwocGdppgJP0tszXM34KFpQ44, picture: https://lh3.googleusercontent.com/a-/AFdZucqc4iha2GZgr-FD3Oy0MwZGwLwQGCAqbXW5BuASUw=s96-c, locale: en, iss: https://accounts.google.com, email_verified: true, sub: 104779650814885939520, aud: 143834371075-h8jqsht30aa13mtdct3tv0q5pp9tf4tn.apps.googleusercontent.com, family_name: Fauzan, iat: 1658236633, email: [email protected], name: Ridwan Fauzan, given_name: Ridwan}

[REQUIRED] Actual behavior

{family_name: Fauzan, locale: en, id: 104779650814885939520, granted_scopes: openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email, verified_email: true, email: [email protected], picture: https://lh3.googleusercontent.com/a-/AFdZucqc4iha2GZgr-FD3Oy0MwZGwLwQGCAqbXW5BuASUw=s96-c, given_name: Ridwan, name: Ridwan Fauzan}

rymesaint avatar Jul 19 '22 13:07 rymesaint

Hey there @rymesaint! Wanted to clarify that some of the claims that are missing are intentionally ignored by the Auth Emulator, e.g. exp, iat, at_hash - for more information about ignored fields, check out the inline documentation of this interface: https://github.com/firebase/firebase-tools/blob/ae788e76a8ea45e1c967bd6e37078a991c89dc6b/src/emulator/auth/operations.ts#L3308

Your issue does point out some unintentional behavior though, i.e. id claim should be the sub claim and verified_email should be email_verified. I'll open a PR that addresses those issues. Thanks for pointing this out!

lisajian avatar Jul 26 '22 01:07 lisajian

Just a quick update: Seems like the fields returned depends on what is used to sign in when signInWithIdp is invoked. The existing returned claims (aside from the ones that are intentionally ignored) are correct in certain cases and should be closer to what you're experiencing in other cases.

Since the scope of this is quite a bit larger than expected, I'm going to leave this issue open. I'll go ahead and file an internal bug for this in the meantime (Googler-only internal tracking bug: b/240451476). Let me know if/how this is negatively impacting you, and for other folks reading this, please thumbs up this comment so we know how to prioritize this bug. Thanks for your patience

lisajian avatar Jul 27 '22 18:07 lisajian