firebase-admin-node icon indicating copy to clipboard operation
firebase-admin-node copied to clipboard

Published 20 hours ago verified publisher icon firebase

[firebase_auth] token issued by createCustomToken are not valid with emulated in <<demo>> project

Open cedvdb opened this issue 1 year ago • 7 comments

As per the documentation:

<< For security reasons, the Authentication emulator issues unsigned ID tokens, which are only accepted by other Firebase emulators, or the Firebase Admin SDK when configured. >>

So when there is an env variable FIREBASE_AUTH_EMULATOR_HOST="127.0.0.1:9099" firebase admin is supposed to give unsigned tokens via the emulator, which it does not:

The following:

    const user = await admin.auth().createUser({ uid: randomUUID() });
    const jwt = await admin.auth().createCustomToken(user.uid);

Results in:

Firebase ID token has incorrect "aud" (audience) claim. Expected "demo-test" but got "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"

cedvdb avatar Jun 13 '23 12:06 cedvdb

I found a few problems with this issue:

  • I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
  • This issue does not seem to follow the issue template. Make sure you provide all the required information.

google-oss-bot avatar Jun 13 '23 12:06 google-oss-bot

Were you able to resolve? I'm experiencing the same issue.

shelbycotton avatar Sep 30 '23 12:09 shelbycotton

Dealing with the same problem. The verifyIdToken function expects the project id in the aud except the token created by the same instance of the auth emulator uses https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit

karthikrao5 avatar Jan 09 '24 04:01 karthikrao5

@shelbycotton

I did not resolve this issue and had to work around it

cedvdb avatar Jan 09 '24 10:01 cedvdb

I get this error only if i try to verify the token generated by createCustomToken. If you pass the token to signInWithCustomToken in the client app then get the user token with auth.currentUser.getIdToken your will notice the token is slightly different and claims are the expected ones. You can then verify this token in your backend and no errors show up.

luisjoserivera avatar Feb 20 '24 06:02 luisjoserivera

I am facing the same issue.

At the moment I am doing what @luisjoserivera said but on the backend. I initialise a client instance of FB with the same credentials and then simulate a login, getId, logout to get the ID token.

mp3por avatar Aug 06 '24 23:08 mp3por

I'm having the same problem. createCustomToken doesn't respect the emulator.

wieringen avatar Aug 15 '24 15:08 wieringen