Error using Firebase Admin with Application Default Credentials.

[Dan Simmons]

Use case:

• Using the absolute latest Firebase Admin (Node.js) locally.

• gcloud beta auth application-default login

• Per the docs: 
  // firebase.js
  
  /* @flow */

  import firebase from 'firebase-admin';

  
  

  export default firebase.initializeApp({

    credential: firebase.credential.applicationDefault(),

  });

• import firebaseApp from './firebase';
  
  // ...
  

  return firebaseApp.auth().verifyIdToken(token)

Result:

Error: Must initialize FirebaseApp with a service account to call auth().verifyIdToken()

Any ideas? The same Application Default Credentials work with google-cloud-node locally.

[Jacob Wenger]

Hey Dan,

This is unfortunately expected behavior with the current SDK. The error message could be improved (and I actually have a change out for review right now which does just that). The TL;DR is that the createCustomToken() and verifyIdToken() methods only work with a cert credential, not with the Application Default Credential. The reasons for this are a bit technical, but there is work we need to do to update the SDK to be able to use those methods when authenticated with the Application Default Credential. This is most definitely on our radar and we plan to bring support for this in a future release. No release dates to share though.

There are two workarounds for the time being:

1. Use a cert credential (admin.credential.cert()) instead of the Application Default Credential (admin.credential.applicationDefault()).
   
2. Verify ID tokens using a third-party JWT library [docs]. For Node.js, I would suggest jsonwebtoken by the Auth0 team. This is actually what we use in the Firebase Admin Node.js library itself.

Keep an eye out on the Firebase Admin Node.js release notes for when expanded support for the Application Default Credential is added.

Cheers,

Jacob

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/3dcaebdf-94fe-422d-8830-48efb37404eb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Dan Simmons]

Hey Jacob,

Thanks for the prompt and detailed reply! It's encouraging to know that I'm not crazy after all ;-) I'm also more than willing to give you guys the benefit of the doubt being that this just became a possibility like two days prior to me attempting to use it!

Great to hear that it's on the radar, I'll be eagerly keeping my eye out. For what it's worth, I ran into what I can only assume is very similar issue (if not identical) with the google-cloud-node library, specifically with crypto operations as I'm attempting to sign files living in GCS for short-lived access. That one operation seems to have the same exact issue in the interim, whereas the rest of the operations I'm performing (eg. pulling from PubSub subscriptions) work fine.

In the short term, I'm blocked on that as well for my specific use case, but I appreciate that you've given me an idea for a workaround as far as Firebase Admin is concerned if it ends up getting resolved first! For now, I'm using my existing credentials.

Best,

Dan

P.S. -- FWIW as far as my specific use case goes, I'm interested in the Application Default Credentials to avoid having to ship around credentials securely. It's something that I'd ideally not commit to SCM or a Docker image. Of course I could use something like Kubernetes secrets, but it's just one more moving piece!

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

[Jacob Wenger]

Thanks for the follow-up. Your use case is heard loud and clear. Not requiring developers to ship around credentials is our goal and I'm glad you're ahead of the curve on this. It looks like GoogleCloudPlatform/gcloud-common/issues/180 is indeed the same situation. Hang tight while we improve the experience and functionality of the Application Default Credentials!

Cheers,

Jacob

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/92383c90-b730-45fd-97d4-bbe84e3d2b64%40googlegroups.com.

[Paul Hovley]

Jacob, is there an update on this issue / what is the timeline for this?

Thank you!

Paul

[Jacob Wenger]

Hey Paul,

Still no update from my last response. Also, we don't publicly share timelines for things like this. It's on our to-do list but is lower priority than some other things we are working on. You'll have to stick to one of the two workarounds I shared for the time being. Sorry I don't have better news!

Cheers,
Jacob

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/09001100-081b-4ffd-aaa5-08be022b0f45%40googlegroups.com.