Firebase-functions: Can't use verifyIdToken() in combination with initializeApp() on non-default env, gives error: Firebase ID token has incorrect "aud" (audience) claim

Created on 17 Jun 2018 · 3Comments · Source: firebase/firebase-functions

Version info

firebase-functions: 1.0.2

firebase-tools: 3.18.6

firebase-admin: 5.12.1

Test case

On the client create a token with: auth.currentUser.getIdToken() and send it to the functions backend.

Initiliaze firebase auth with:

admin.initializeApp();
const auth = admin.auth();

// And verify the token from the client (in some function)
auth.verifyIdToken(idToken)
.then(() => console.log('success')
.catch(error => console.log(error.message))

Were you able to successfully deploy your functions?

yes

Expected behavior

I expect the above to work BOTH with default evn and my prod env.

Actual behavior

When using admin.initializeApp() the code does only work with default env. If you serve functions and client in a different env it fails with:

Firebase ID token has incorrect "aud" (audience) claim. Expected "<my-default>" but got "<my-prod>". Make sure the ID token comesfrom the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.

However If I change to this:

admin.initializeApp({
     credential: admin.credential.cert(serviceAccount),
});

there are no problems!

I have been looking to see if it could be something with the GOOGLE_APPLICATION_CREDENTIALS env variable, but tried all combinations without success (unset, prod, dev etc).
This is very frustrating because I am trying to debug an error that only happens in production, and thus it would be nice to be able to simulate production locally.

Update
I just found a relevant comment from @laurenzlong here:

it's due to the fact that you're trying to use Firebase auth, which is not currently supported in local functions due to the way we do credentials. I'll work on a fix and keep you posted. (Caveat, the fix is non-trivial so it may take some time).

Is this actually _just_ the problem? That functions currently not fully support admin.initializeApp(); ? And is there any downside to using initializeApp() with a credential file?

question

Source

alexbjorlig

Most helpful comment

@thechenky It's ok with me if you close the issue, but I really think this is a weak point of the firebase functions platform. It's so cool if you ask me, when you don't have to initialize the app with credentials. The barrier to entry is just much lower for new people. If however initializing the application with certificates when doing auth related stuff is the recommended behaviour, then I would argue we should share/publish some boilerplate tamplate demonstrating how to mangle with multiple certificates for multiple environments (like dev and production). It's details like this that makes the difference between POC app's and the real thing a pain.

alexbjorlig on 29 Nov 2018

👍7

All 3 comments

Yes that is the problem. auth.verifyIdToken only works properly locally if you initialized with a service account like you did in the second code sample.

There aren't downsides to initializing an admin app with a service account other than you can't easily deploy the same code base to 2 projects via firebase use.

laurenzlong on 20 Jun 2018

@dauledk thanks for reporting, closing this out as there seems to be a workaround. Feel free to open a new issue if you're still encountering problems.