FR: Support Authentication Emulator

[maku693]

Step 2: Describe your environment

• Operating System version: all
• Firebase SDK version: 4.1.0
• Firebase Product: auth

Step 3: Describe the problem

Firebase Local Emulator Suite has Authentication Emulator, but this SDK doesn't support the emulator yet.

While Realtime Database emulator support being discussed on #298, I believe emulator support can be implemented separately for each product, so I opened a new issue to discuss about Authentication Emulator support.

To support auth emulator, following implementation should be added (We can borrow the ideas of Node.js Admin SDK which already supports the emulator; cf. https://github.com/firebase/firebase-admin-node/pull/1044):

1. Provide a way to configure the auth client to use the Emulator Suite.
   • To be consistent with original Node.js implementation, auth emulator support should be enabled via setting FIREBASE_AUTH_EMULATOR_HOST environment variable.
2. Emulated signer for token generation / validation.
   • According to Node.js Admin SDK implementation, emulated signer returns null string as bytes from Sign(), and returns firebase-auth-emulator@example.com from Email().
   • And also, we should add Algorithm() method to signers, to switch algorithm to sign custom tokens based on which signer the client uses (Emulated signer uses none algorithm, other signers use RS256. cf. https://github.com/firebase/firebase-admin-node/blob/dbb0c785c9b72590c19655d3ab5a39338e0cd393/src/auth/token-generator.ts#L231-L252).
3. Replace identity toolkit API endpoints with local (emulated) ones when using the emulator.

The steps above mostly been deduced from Node.js implementation, so they are incomplete perhaps.

Relevant Code:

I've submitted a PR. #414

[samtstern]

@maku693 thank you for the detailed issue and the offer of a PR! I think to start we'd definitely be interested in supporting FIREBASE_AUTH_EMULATOR_HOST and the JWT signing as well, but we should skip anything to do with JWT verification. We're looking to improve the methods used in Node before porting those.

[samtstern]

cc @yuchenshi

[chris-rock]

Having this feature in this sdk would be really helpful!

[kanekv]

This issue has "help-wanted" label, is it already being worked on or needs help/contribution?

[yuchenshi]

This is on our roadmap, but we're still in the planning stage right now. We welcome contributions that help to land this feature sooner.

[chowey]

I've had success with this pull request, but @maku693 has not merged it into his branch or proposed his own pull request.

[samtstern]

Just to be clear there are two major parts to adding support here:

1. Make the library recognize FIREBASE_AUTH_EMULATOR_HOST and modify all outgoing HTTP requests accordingly.
2. Make the library have different behavior for verifying ID tokens and creating session cookies (JWT operations) when running against the emulator.

(1) is simple and we'd be happy to accept a PR implementing that. (2) is still being debated internally and we're not ready for that functionality right now.

[maku693]

Sorry I was away for a while, but I just proposed a PR! #414

[hiranya911]

This feature was released with v4.2.0

[chowey]

This leaves VerifyIDToken unsupported. It seems to me that VerifyIDToken is easily implemented by just skipping the signature check on the JWT, or (slightly better) by verifying there is no signature on the JWT. But I'm confused by the following:

Just to be clear there are two major parts to adding support here:

1. Make the library recognize FIREBASE_AUTH_EMULATOR_HOST and modify all outgoing HTTP requests accordingly.
2. Make the library have different behavior for verifying ID tokens and creating session cookies (JWT operations) when running against the emulator.

(1) is simple and we'd be happy to accept a PR implementing that. (2) is still being debated internally and we're not ready for that functionality right now.

Based on (2), are you saying that VerifyIDToken is intentionally unsupported until further notice?

VerifyIDToken is an important part of my Go backend. It is the function that reads the JWT and creates a Token. There is logic in my backend that uses the claims contained in the Token.

[samtstern]

@chowey that's correct but it's a temporary situation. We were still debating on the best way to implement emulated VerifyIdToken before doing it, so we left that out at first.

[maku693]

For Node.js SDK, https://github.com/firebase/firebase-admin-node/pull/1148 finally landed, so it seems now the 'temporary situation' has been concluded. Can I submit a PR to bring token verification to this SDK as well?

[samtstern]

@maku693 if you feel comfortable porting the Node.js technique from that PR to this repo then we would love to accept your PR! Let us know if you have any questions about the implementation.