firebaseservice-accountsgoogle-cloud-rungoogle-iamgoogle-cloud-scheduler

Trying to authenticate a service account with firebase-admin from a Cloud Scheduler call? Error: Firebase ID token has incorrect "iss" (issuer) claim


I'm trying to authenticate an API call made to my server (on Cloud Run) from a Cloud Scheduler cron job.

I'm trying to use a service account to this.

Note: this is all happening inside the same Project.

References:

This is what I'm doing:

STEP 1 - Create the service account

I went to https://console.cloud.google.com/apis/credentials and created a new service account. I've assigned the role as owner.

enter image description here

STEP 2 - Create the cron job.

I went to https://console.cloud.google.com/cloudscheduler to create the cron job like I always do.

enter image description here

In the service account field I've put my service account e-mail. In the Audience field, I've put my project id because at some point I got an error saying that it was expecting it to be the name of my project id.

This was the error:

Firebase ID token has incorrect "aud" (audience) claim. Expected "PROJECT_ID"

STEP 3 - Running the job and identify decoding the token:

This is the code on my server:

import * as admin from "firebase-admin";

admin.initializeApp({
  credential: admin.credential.cert(
    // THIS IS THE DEFAULT FIREBASE-ADMIN SERVICE ACCOUNT
    // THAT IS AUTOMATICALLY CREATED BY FIREBASE
    SERVICE_ACCOUNT as admin.ServiceAccount
)});

// THIS IS THE CODE THAT IS INSIDE MY SERVER TRYING TO VERIFY THE SERVICE ACCOUNT

try {
  const authHeader = req.headers.authorization;
  console.log(`authHeader: ${authHeader}`);
  if (authHeader) {
    const idToken = authHeader.split(" ")[1];   // GETS THE USER ID TOKEN
    const decodedToken = await admin.auth().verifyIdToken(idToken);
    console.log(`decodedToken: ${decodedToken}`);
  }
}

And this is the error I'm currently getting:

Firebase ID token has incorrect "iss" (issuer) claim. Expected "https://securetoken.google.com/"my-project-id" but got "https://accounts.google.com". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.

Is there anything wrong with the way I'm doing it? Should I not be using firebase-admin to this?

Should I be using google-auth-library to verify the token?

enter image description here


Solution

  • After a morning in hell trying to debug this, here is what I've found.

    It seems that firebase-admin's admin.auth().verifyIdToken() only works for tokens generated from the firebase SDK.

    I got it to work by using the google-auth-library directly.

    I did the following.

    NOTE: The rest of the code is the same (using the same service account as described in the question):

    import { OAuth2Client } from "google-auth-library";
    
    export const apiExpressRouteHandler: RequestHandler = async (req, res) => {
      try {
    
        const PROJECT_ID = process.env.PROJECT_ID;
    
        const authHeader = req.headers.authorization;
        if (authHeader) {
          const client = new OAuth2Client(PROJECT_ID);
          const ticket = await client.verifyIdToken({
            idToken: authHeader.split(" ")[1],
            audience: PROJECT_ID
          });
    
          // LOGGING ticket PROPERTIES
    
          console.log(`userId: ${JSON.stringify(ticket.getUserId())}`);
          console.log(`payload: ${JSON.stringify(ticket.getPayload())}`);
          console.log(`envelope: ${JSON.stringify(ticket.getEnvelope())}`);
          console.log(`attributes: ${JSON.stringify(ticket.getAttributes())}`);
        }
    
        // REST OF THE CODE
      }
    } 
    catch(err) {
      // ...
    }
    

    I'm not sure if the PROJECT_ID is necessary to initialize the client with new OAuth2Client(PROJECT_ID); but it is working like this.