Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Create custom token using a service account ID

See original GitHub issue

Hi, I’m trying to create custom token for specified service account from different service account. I’m following this guide: https://firebase.google.com/docs/auth/admin/create-custom-tokens#using_a_service_account_json_file (Using a service account ID). When I configure it like that and try to generate a token, that token is invalid. So I started debugging: https://github.com/firebase/firebase-admin-dotnet/blob/5397e845fef87124940ba99cb1225e6c04210ba2/FirebaseAdmin/FirebaseAdmin/Auth/FirebaseTokenFactory.cs#L74-L95 If I set debugger on here and set serviceAccount value to null, I get a valid token. So it seems like it’s using wrong service account.

Can app.Options.Credential.ToServiceAccountCredential() be null? You cannot even initialize FirebaseApp without setting Credential = GoogleCredential.GetApplicationDefault().

Shouldn’t the logic be that it should first check if a service account ID is specified and invoke the IAM service, and only if not it should go for other cases?

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
hiranya911commented, Aug 22, 2019

Yes, but this cross pollination of projects and service accounts is not something we wish to support or advertise. It’s often very confusing to reason about the permissions of projects this way. Also this works today because we don’t put the project ID in the IAM endpoint (notice the /projects/-/ part in the error message). That might change in the future, or IAM might change how the project ID inference works. At very least we want to retain the flexibility to change such details in future implementations.

You should look into using one of the following options to implement your use case.

Option 1: Init the SDK with credentials for project B

As it stands, I don’t see why you use a service account from project A while trying to create custom tokens for project B. Just use credentials for project B if at all possible.

Option 2: Use two FirebaseApp instances:

var project_A_app = FirebaseApp.Create(new AppOptions
{
   // Service account for project A
});

var project_B_app = FirebaseApp.Create(new AppOptions
{
   // Service account or ADC for project B
   // Service Account ID
}, "CustomTokenApp");

Use the latter for creating tokens and the former for interacting with project A.

Option 3: Implement a custom GoogleCredential implementation

Wrap project A’s service account credential inside a custom GoogleCredential so it doesn’t get picked for local token signing. You will likely have to wrap the service account in an ICredential first. See how the AccessTokenCredential is implemented to get an idea: https://github.com/googleapis/google-api-dotnet-client/blob/master/Src/Support/Google.Apis.Auth/OAuth2/GoogleCredential.cs#L143

0reactions
kanclalgcommented, Aug 22, 2019

But it’s possible, @hiranya911 ? because if I set serviceAccount to null (debugging) it sets signer as that: signer = new FixedAccountIAMSigner(app.Options.HttpClientFactory, app.Options.Credential, app.Options.ServiceAccountId); in that case at first I get this error:

Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/{your-service-account-id}.

this error is documentated here https://firebase.google.com/docs/auth/admin/create-custom-tokens

But if I add Service Account Token Creator role for service account from project A to project B IAM it works fine.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Create Custom Tokens | Firebase Authentication - Google
Create custom tokens using a third-party JWT library ; sub, Subject, Your project's service account email address ; aud, Audience, "https://identitytoolkit.
Read more >
Creating custom tokens | Identity Platform Documentation
This document shows you how to use Identity Platform to create custom JSON Web Tokens (JWTs). Custom tokens give you complete control over...
Read more >
How to create Firebase Authentication custom token ...
This should be the accepted answer. By using the serviceAccountId during initialization, the SDK will impersonate the service account provided.
Read more >
Firebase: Create custom tokens without service account ...
You can find a service account ID from the Firebase or GCP console. ... Listing 3: Creating custom tokens when initialized with ADC....
Read more >
Create short-lived credentials for a service account
serviceAccountOpenIdTokenCreator ) for creating an ID token. This is a different role than the role you use for other token types. Generate the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

How can I get ID Token from custom token?

Next page

Firebase admin proxy issue