search

firebase / firebase-admin-python

Firebase Admin Python SDK
https://firebase.google.com/docs/admin/setup
Apache License 2.0
988 stars 301 forks source link

Illegal Firebase credential provided. App must be initialized with a valid credential instance error - when using another type of `google.auth.Credential` object with the SDK. #698

Open LPLabrys99 opened 1 year ago

LPLabrys99 commented 1 year ago

Hi there, I am having some issues using the firebase_admin python client with a credential object from outside the SDK.

In my use case, I want to initialize the firebase_admin SDK using a Service Account impersonation credential to list users within the firebase environment.

To do this I tried the following:

import google.oauth2.credentials
import google.auth.impersonated_credentials

source_credentials = google.oauth2.credentials.Credentials(token=id_token)
credentials = google.auth.impersonated_credentials.Credentials(
    source_credentials=source_credentials,
    target_principal=my_service_account_email,
    target_scopes=target_scopes,
    lifetime=500
)

app_options = {'projectId': project_id}
firebase_app = firebase_admin.initialize_app(
  credential=firebase_credential, options=app_options)

When running initialize_app it returns an exception - Illegal Firebase credential provided. App must be initialized with a valid credential instance.

Looking into the firebase-admin-python source code I was able to find the source of the problem. In firebase_admin/__init__.py line 209 the code checks whether the supplied credentials object is an instance of firebase_admin.credentials.Base. If not, then the SDK returns the exception.

I don't understand why this is the case. Why does firebase-admin-python have its own credentials class which seems to just wrap google.oauth2.credentials objects? Why wouldn't the Firebase SDK accept a google.oauth2.credentials object directly?

I was able to work around it by hacking the ApplicationDefault class that comes with the firebase-admin-python SDK, however this seems a bit backwards.

firebase_credential = firebase_admin.credentials.ApplicationDefault()
firebase_credential._g_credential = credentials
firebase_credential._project_id = SOURCE_PROJECT

In my opinion it would be better if the firebase SDK just made use of the google.auth module which has a much better implementation.

google-oss-bot commented 1 year ago

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

luka-mikec commented 7 months ago

I'm running into the same issue of firebase_admin not accepting impersonated_credentials.Credentials, is there an ETA for when this might be fixed?

dinvlad commented 5 months ago

Has anyone figured out another solution?