admin.auth().verifyIdToken return a verifed token with no email

[Jean-Rémi Delteil]

Hello,

I'm facing an issue where for some existing users in the Authentication panel, the following method (node admin) : admin.auth().verifyIdToken  return a verified token with no email.

To be clear, some users are normal, and an email is returned.

But for some other I'm getting a decodedToken like this:

var decodedToken = {
   iss: 'https://securetoken.google.com/firebase-project-id',
   aud: 'firebase-project-id',
   auth_time: 1234567890,
   user_id: 'userDatabaseID',
   sub: 'userDatabaseID',
   iat: 1234567890,
   exp: 1234567980,
   email: '',
   email_verified: false,
   firebase: {
      identities: {
         'google.com': [ 'user ID for google provider' ],
         email: [ '' ]
      },
      sign_in_provider: 'google.com'
   },
   uid: 'userDatabaseID'
};

I've investigated a little as it's somewhat a big issue, and found that using the client side library, the same user doesn't have an email in app.auth().currentUser.email but it has an email in app.auth().currentUser.providerData[0].email

So client side, i'm getting away with this.

Another finding was when I tried the admin.auth().getUser() method (on node admin).

It returned (for the same problem user) these kind of info:

var UserRecord = {
   uidInternal: 'userDatabaseID',
   emailInternal: '',
   emailVerifiedInternal: false,
   displayNameInternal: undefined,
   photoURLInternal: undefined,
   disabledInternal: false,
   metadataInternal: {
      createdAtInternal: 'some valid date',
      lastSignedInAtInternal: 'some valid date'
   },
   providerDataInternal: [
      {
         uidInternal: 'user ID for google provider',
         displayNameInternal: 'User Name',
         emailInternal: 'user...@domain.com',
         photoURLInternal: 'https://lh4.googleusercontent.com/alotofrandomchars/photo.jpg',
         providerIdInternal: 'google.com'
      }
   ]
};

Here we find an email in providerDataInternal[0].emailInternal

So I may also get away admin server.

But it seems like there are issues with current implementation: the email for such a user doesn't get updated when he logs-in.

One of those problem users is an account of mine, so I did some tests.

Any idea on how to get back to a clean situation with a healthy user database ?

[Bassam]

Hey Jean-Rémi, are you using "Multiple accounts per email" setting in the Firebase console? If so this is expected for OAuth providers. The top level email is not set and only the email for the relevant provider is available.

If you switch to "one account per email" in the console, the email will be populated.

Currently, what you are experiencing works as intended.

Bassam

[Jean-Rémi Delteil]

The base is set to 'One account per email address'.

With your explanation, it should be okay to not have a master email,

but why in the firebase Id token (decodedToken) I also don't have an email for the provider ?

firebase: {
      identities: {
         'google.com': [ 'user ID for google provider' ],
         email: [ '' ]
      },
      sign_in_provider: 'google.com'
   },

Is this intended too ?

Best,

Jean-Rémi

--
You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/3SJya68V5M8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/93c217b8-ae7a-4d8a-aff8-8538ae51a1cd%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Bassam]

Oops, my bad. I was wrong. We never return the provider email in the token. We only do so on the FirebaseUser object. We only add the top level email in the token. In the case of "multiple accounts per email", this is not available unless it is an email/password provider.

I will relay your request to add this field in the token to the right people.

Bassam

Jean-Rémi

To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

[Jean-Rémi Delteil]

Thank ;) !

Well, to have the email would be nice, but at least let the fields be logic (not returning an email but having an 'email' empty field is weird !)

Best,

Jean-Rémi Delteil

To unsubscribe from this group and all its topics, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/cfb57dfb-05fb-48d3-a2ed-0715d1ef8c25%40googlegroups.com.