Can't use verifyIdToken() in combination with initializeApp() on non-default env, gives error: Firebase ID token has incorrect "aud" (audience) claim

[alexbjorlig]

Version info

firebase-functions: 1.0.2

firebase-tools: 3.18.6

firebase-admin: 5.12.1

Test case

On the client create a token with: auth.currentUser.getIdToken() and send it to the functions backend.

Initiliaze firebase auth with:

admin.initializeApp();
const auth = admin.auth();

// And verify the token from the client (in some function)
auth.verifyIdToken(idToken)
.then(() => console.log('success')
.catch(error => console.log(error.message))

Were you able to successfully deploy your functions?

yes

Expected behavior

I expect the above to work BOTH with default evn and my prod env.

Actual behavior

When using admin.initializeApp() the code does only work with default env. If you serve functions and client in a different env it fails with:

Firebase ID token has incorrect "aud" (audience) claim. Expected "<my-default>" but got "<my-prod>". Make sure the ID token comesfrom the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.

However If I change to this:

admin.initializeApp({
     credential: admin.credential.cert(serviceAccount),
});

there are no problems!

I have been looking to see if it could be something with the GOOGLE_APPLICATION_CREDENTIALS env variable, but tried all combinations without success (unset, prod, dev etc). This is very frustrating because I am trying to debug an error that only happens in production, and thus it would be nice to be able to simulate production locally.

Update I just found a relevant comment from @laurenzlong here:

it's due to the fact that you're trying to use Firebase auth, which is not currently supported in local functions due to the way we do credentials. I'll work on a fix and keep you posted. (Caveat, the fix is non-trivial so it may take some time).

Is this actually just the problem? That functions currently not fully support admin.initializeApp(); ? And is there any downside to using initializeApp() with a credential file?

[laurenzlong]

Yes that is the problem. auth.verifyIdToken only works properly locally if you initialized with a service account like you did in the second code sample.

There aren't downsides to initializing an admin app with a service account other than you can't easily deploy the same code base to 2 projects via firebase use.

[thechenky]

@dauledk thanks for reporting, closing this out as there seems to be a workaround. Feel free to open a new issue if you're still encountering problems.

[alexbjorlig]

@thechenky It's ok with me if you close the issue, but I really think this is a weak point of the firebase functions platform. It's so cool if you ask me, when you don't have to initialize the app with credentials. The barrier to entry is just much lower for new people. If however initializing the application with certificates when doing auth related stuff is the recommended behaviour, then I would argue we should share/publish some boilerplate tamplate demonstrating how to mangle with multiple certificates for multiple environments (like dev and production). It's details like this that makes the difference between POC app's and the real thing a pain.

[thekumar]

I understand that there is a "workaround." But, it's sad that this is still an issue almost 5 years later. I spent 3+ hours late in the night trying to hunt this issue down.

[karthikrao5]

Any updates here? I'm unable to run a full integration test that connects to an emulator because I need to authenticate the request with firebase auth and the firebase admin auth verifyIdToken function fails.

[kadariabdul]

I also need the solution