Trying to authenticate a service account with firebase-admin from a Cloud Scheduler call? Error: Firebase ID token has incorrect "iss" (issuer) claim
I'm trying to authenticate an API call made to my server (on Cloud Run) from a Cloud Scheduler cron job.
I'm trying to use a service account to this.
Note: this is all happening inside the same Project.
References:
This is what I'm doing:
STEP 1 - Create the service account
I went to https://console.cloud.google.com/apis/credentials and created a new service account. I've assigned the role as owner.
STEP 2 - Create the cron job.
I went to https://console.cloud.google.com/cloudscheduler to create the cron job like I always do.
In the service account field I've put my service account e-mail. In the Audience field, I've put my project id because at some point I got an error saying that it was expecting it to be the name of my project id.
This was the error:
Firebase ID token has incorrect "aud" (audience) claim. Expected
"PROJECT_ID"
STEP 3 - Running the job and identify decoding the token:
This is the code on my server:
import * as admin from "firebase-admin";
admin.initializeApp({
credential: admin.credential.cert(
// THIS IS THE DEFAULT FIREBASE-ADMIN SERVICE ACCOUNT
// THAT IS AUTOMATICALLY CREATED BY FIREBASE
SERVICE_ACCOUNT as admin.ServiceAccount
)});
// THIS IS THE CODE THAT IS INSIDE MY SERVER TRYING TO VERIFY THE SERVICE ACCOUNT
try {
const authHeader = req.headers.authorization;
console.log(`authHeader: ${authHeader}`);
if (authHeader) {
const idToken = authHeader.split(" ")[1]; // GETS THE USER ID TOKEN
const decodedToken = await admin.auth().verifyIdToken(idToken);
console.log(`decodedToken: ${decodedToken}`);
}
}
And this is the error I'm currently getting:
Firebase ID token has incorrect "iss" (issuer) claim. Expected "https://securetoken.google.com/"my-project-id" but got "https://accounts.google.com". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.
Is there anything wrong with the way I'm doing it? Should I not be using firebase-admin to this?
Should I be using google-auth-library to verify the token?
- https://github.com/googleapis/google-auth-library-nodejs#verifying-id-tokens
- https://developers.google.com/identity/sign-in/web/backend-auth
After a morning in hell trying to debug this, here is what I've found.
It seems that firebase-admin's admin.auth().verifyIdToken() only works for tokens generated from the firebase SDK.
I got it to work by using the google-auth-library directly.
I did the following.
NOTE: The rest of the code is the same (using the same service account as described in the question):
import { OAuth2Client } from "google-auth-library";
export const apiExpressRouteHandler: RequestHandler = async (req, res) => {
try {
const PROJECT_ID = process.env.PROJECT_ID;
const authHeader = req.headers.authorization;
if (authHeader) {
const client = new OAuth2Client(PROJECT_ID);
const ticket = await client.verifyIdToken({
idToken: authHeader.split(" ")[1],
audience: PROJECT_ID
});
// LOGGING ticket PROPERTIES
console.log(`userId: ${JSON.stringify(ticket.getUserId())}`);
console.log(`payload: ${JSON.stringify(ticket.getPayload())}`);
console.log(`envelope: ${JSON.stringify(ticket.getEnvelope())}`);
console.log(`attributes: ${JSON.stringify(ticket.getAttributes())}`);
}
// REST OF THE CODE
}
}
catch(err) {
// ...
}
I'm not sure if the PROJECT_ID is necessary to initialize the client with new OAuth2Client(PROJECT_ID); but it is working like this.
- Xcode "Missing package product 'GoogleUtilities_UserDefaults'" after updating to latest package version using SPM
- Is there a limit or cost for Snapshot Listeners?
- Flutter: include of non-modular header inside framework module 'firebase_core.FLTFirebasePlugin'
- How can I send a Firebase Cloud Messaging notification without use the Firebase Console?
- Firebase Firestore REST Request - Query and Filter
- How to count number of messages in firebasefirestore collection in flutter
- Firebase delay in fetching user
- Firebase "getIdToken(true)" in Java Backend
- Firebase Undefined symbols for architecture x86_64
- FirebaseAuth - Get tokenId in Java backend
- Firebase functions imports in firebase functions 6.0.1
- About FIREBASE => Angular , how to read data in FIREBASE when we use Push method to write data
- Messages are not ordering correctly in Firebase
- How to properly create URL Masking for Cloud Functions to create a NEG?
- how to end ng serve or firebase serve
- Firebase App Check Throws 401 Error on iOS Devices
- web - readAsBytes throws Unsupported operation: _Namespace
- Firestore set doc with merge option true or update doc
- Firebase Functions "cannot determine backend specification"
- Cant access Firebase Admin SDK via Node.js on my VPS, but I can on my local machine
- Firestore get value of Field.increment after update without reading the document data
- Firebase - lacks IAM permission "cloudscheduler.jobs.update"
- Sign In with LinkedIn using OpenID Connect with Firebase Auth or GCP Identity Platform
- facebookAuthCredential.idToken is null in Flutter
- What marks Firebase Cloud Messaging tokens as inactive?
- Limitation to number of documents under one Collection in firebase firestore
- Gradle sync fails when trying to add firebase ml vision image label model
- How to fix wrong node version in `firebase deploy --only functions`
- Get documents from firestore based on timestamp field
- "flutterfire configure" command won't let me type in a package name