Error: [FirebaseDatabase] Authentication failed: invalid_token (Invalid claim 'aud' in auth token.)

[Kyle Visner]

Has anyone seen this error before?  

[FirebaseDatabase] Authentication failed: invalid_token (Invalid claim 'aud' in auth token.)

I've been seeing this since migrating to Firebase 3.0 on my IOS app.  The users appear to authenticate just fine, but somehow the auth token being returned by firebase is invalid.  It occurs any time I try to read the database.  My security rules are as follows: 

{

  "rules": {

    ".read": "auth != null",

    ".write": "auth != null"

  }

}

The error occurs even if I set the rules to just read/write true.

[Ian Barber]

That's not a super helpful message, sorry. Pretty clear that its not happy with the JWT, but given you don't create that directly not super useful :)

Did you update to the 3.0 version of the auth SDK as well, and if so, which auth provider are you using (and have you set them up in the new console?)

[Kyle Visner]

Yep, on pod version 3.0.2.  It occurs with all my providers, Facebook, twitter, and email/password.

[Robson Previato]

Same is happing to me. Even if I set rules do ".read" : true, ".write": true I get this error. In this case, if I remote Firebase/Auth from the pod it works when rules are public.

I create a support request to the Firebase team, but I didn't get response yet. As soon as I get a reply from they, I come back here.

[Martín De Girolamo]

Same for me, on my case I put database Public and Storage Public, Storage works fine, Database do not do nothing, I cant believe google with this error level.....

[Kato Richardson]

Hi Gents,

Sorry you're having issues getting started. If you want some help with these errors, please post a minimal repro, preferably on Stack Overflow or a new thread. Be sure to provide enough info to recreate the error conditions.

Also make sure that you're not creating projects in the new console, and then trying to authenticate with the 2.x SDK. Your migrated projects will work fine with the old API but not newly created ones.

Beyond this, reaching out to support is a great way to get some 1:1 help. For those of you who did reach out, thanks! We'll get you you as quickly as possible, I promise.

☼, Kato

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/349e8443-ebd8-4e2d-9395-c65ad3622cc0%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Kato Richardson |

Developer Programs Eng |

kato...@google.com |

775-235-8398

[Aleksandr Konakov]

I'm having the same issue. Let's see if I get any help from the support team.

[Ivan Tung]

I could reproduce this error 100% in iOS with the following steps.

1) Set up the iOS to use a Firebase app (ex. DB1) via the GoogleService-Info.plist

2) Sign in (authenticate using the Firebase email/password authentication).

3) Change the GoogleService-Info.plist to use a different Firebase app (ex DB2).

4) When the app restarts it automatically tries to authenticate to DB2 but it has an invalid token from authenticating with DB1.

5) Firebase internals outputs the error in the console  Error: [FirebaseDatabase] Authentication failed: invalid_token (Invalid claim 'aud' in auth token.).  It appears to continually output this message every few seconds.

6) Firebase will call the addAuthStateDidChangeListener block, but incorrectly return a user instead of signing the user out. So you are stuck in a limbo state.  You appear authenticated but you really are not.

7) The reason I believe this happens is Firebase stores the token in the key chain with the firebase app name (ie "__FIRAPP_DEFAULT" for the default configuration). so if you manually [FIRApp configureWithName ....] the token/app settings are stored in a different keychain.  To verify this I could execute code to delete the app keychain, then the app would start in the un-authenticated state.

8) For us we have a dev and a production Firebase.  With Firebase 2.x we could simply switch the url path without issue.

9) With the new Firebase it is a bit more problematic.  If you manually configure the FIRApp with options it appears the analytics still wants to load GoogleService-Info.plist because you will get some output complaining Firebase could not initialize the analytics because of the missing plist.

10) The ideal solution would have been if you could specify the plist manually (so you can have multiple configs) and specify the app name in it so it would be stored in the a different key chain. (hint: to firebase dev team ;-) )

[Alan Feng]

Hi guys, 

Any luck with this problem?

Ivan Tung於 2016年5月28日星期六 UTC+8上午4時22分52秒寫道：

[Michael Lehenbauer]

This error basically means the SDK failed to authenticate to the Firebase Database because the auth token was for a different project.  There are a couple ways you may hit this:

1. You've changed your GoogleService-Info.plist to point at a different project, but your app still has a cached token from a previous run.
   
   
2. I believe the iOS Simulator shares the keychain between apps, so if you have multiple apps using Firebase, one app might be picking up the token cached by another app.  This *only* happens in the simulator and we're working on changing the Firebase SDK to avoid this.

In either case, you can probably resolve the issue by doing an explicit signOut() call before initializing Firebase Database.

Hope this helps somebody!

-Michael

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/76f3712c-a715-42c1-9795-824baebf4f26%40googlegroups.com.

[pa...@vtsw.com.au]

Following from Michael Lehenbauer's comments, what was causing the issue for me was different project_ids between my server and client, as indicated below:

Init in the server:
var credentials = {
  "type": "service_account",
  "project_id": "project-1111111111111111111",
  --- SNIP ---
};

Init in the client (Javascript in my case...):
var config = {
        apiKey: "abc123xxxyyy",
        authDomain: "project-2222222222222222222.firebaseapp.com",
  --- SNIP ---

Changing the project_ids to match fixed the problem.