Create custom token using a service account ID
See original GitHub issueHi, I’m trying to create custom token for specified service account from different service account. I’m following this guide: https://firebase.google.com/docs/auth/admin/create-custom-tokens#using_a_service_account_json_file (Using a service account ID).
When I configure it like that and try to generate a token, that token is invalid. So I started debugging:
https://github.com/firebase/firebase-admin-dotnet/blob/5397e845fef87124940ba99cb1225e6c04210ba2/FirebaseAdmin/FirebaseAdmin/Auth/FirebaseTokenFactory.cs#L74-L95
If I set debugger on here and set serviceAccount
value to null
, I get a valid token. So it seems like it’s using wrong service account.
Can app.Options.Credential.ToServiceAccountCredential()
be null
? You cannot even initialize FirebaseApp without setting Credential = GoogleCredential.GetApplicationDefault()
.
Shouldn’t the logic be that it should first check if a service account ID is specified and invoke the IAM service, and only if not it should go for other cases?
Issue Analytics
- State:
- Created 4 years ago
- Comments:5 (3 by maintainers)
Top GitHub Comments
Yes, but this cross pollination of projects and service accounts is not something we wish to support or advertise. It’s often very confusing to reason about the permissions of projects this way. Also this works today because we don’t put the project ID in the IAM endpoint (notice the
/projects/-/
part in the error message). That might change in the future, or IAM might change how the project ID inference works. At very least we want to retain the flexibility to change such details in future implementations.You should look into using one of the following options to implement your use case.
Option 1: Init the SDK with credentials for project B
As it stands, I don’t see why you use a service account from project A while trying to create custom tokens for project B. Just use credentials for project B if at all possible.
Option 2: Use two
FirebaseApp
instances:Use the latter for creating tokens and the former for interacting with project A.
Option 3: Implement a custom
GoogleCredential
implementationWrap project A’s service account credential inside a custom
GoogleCredential
so it doesn’t get picked for local token signing. You will likely have to wrap the service account in anICredential
first. See how theAccessTokenCredential
is implemented to get an idea: https://github.com/googleapis/google-api-dotnet-client/blob/master/Src/Support/Google.Apis.Auth/OAuth2/GoogleCredential.cs#L143But it’s possible, @hiranya911 ? because if I set
serviceAccount
tonull
(debugging) it sets signer as that:signer = new FixedAccountIAMSigner(app.Options.HttpClientFactory, app.Options.Credential, app.Options.ServiceAccountId);
in that case at first I get this error:this error is documentated here https://firebase.google.com/docs/auth/admin/create-custom-tokens
But if I add
Service Account Token Creator
role for service account from project A to project B IAM it works fine.