Open jaschaio opened 5 years ago
@jaschaio that's actually the new intended behavior although clearly it should be explained better. @abeisgoat can comment.
If you want to get the old behavior, try using firebase serve --only functions
instead of firebase emulators:start --only functions
. We have flagged off most of the new behavior in the serve
version.
@samtstern looks like this isn't that issue because he's already using serve
.
@jaschaio thanks for the helpful bug report. I was able to reproduce this behavior, although strangely, I only got it to work once. After downgrading to firebase-tools@6.8.0
and then upgrading back to 6.11.0
, the issue no longer existed.
I suspect this is because when calling admin.initializeApp()
without any arguments, it looks for the application default credential which was (perhaps on both our machines) out of date. When I went back and used the old emulator it shelled out to gcloud
under the hood which updated my old access token.
One easy work around is to just create a dedicated service account in the Firebase console and provide the credential to initializeApp()
, that'll totally work. However, I'd love if you could run gcloud auth application-default print-access-token
which should refresh it and then see if that fixes the emulator. If it does, we may just need to do a shell out to gcloud
to make sure application default creds are up to date.
@jaschaio while the error you got is not related to what I am about to say, it was actually protecting you from another more serious error. And fixing one will fix both, so let's just jump to that.
Ok so when you run admin.initializeApp()
it does this process to search for credentials:
https://cloud.google.com/docs/authentication/production#finding_credentials_automatically
When you're running in Cloud Functions it finds a service account and everything is great. When you're running locally it finds the credential you probably set up with gcloud auth application-default
login which is a user credential that has a Client ID that points to the shared gcloud
project. You don't have to care about that detail at all. However if you do try and use that credential to run admin.auth().listUsers()
you will get an error like this one:
Error: //cloud.google.com/docs/authentication/. Raw server response: "{"error":{"code":403,"message":"Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the identitytoolkit.googleapis.com. We recommend that most server applications use service accounts instead. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/.","errors":[{"message":"Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the identitytoolkit.googleapis.com. We recommend that most server applications use service accounts instead. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/.","domain":"usageLimits","reason":"accessNotConfigured","extendedHelp":"https://console.developers.google.com"}],"status":"PERMISSION_DENIED"}}"
So the way to solve this is to make sure you set GOOGLE_APPLICATION_CREDENTIALS
and point it to a service account JSON file for your project.
So you'd do:
GOOGLE_APPLICATION_CREDENTIALS=your_service_account.json firebase serve
Note that this is specific to the Auth API. You'll notice that the Firestore API accepts these "user credentials" without any complains. Both APIs consider this situation "working as intended" and for now there is nothing we can do to work around it in the emulator.
I hope that makes sense!
I just came into this very same problem.
So does this mean that, if you did firebase login
, then firebase use X
and you're running functions with serve
and NOT emulators:start
, it will still not work just like in previous versions?
Edit:
For testing purposes, I installed gcloud and did gcloud auth application-default login
resulting in success. Then, when running my function, the error @samtstern quotes appears.
Is there no other way to auth than to create this file?
I fully understand your goal of isolating us from production, but in some situations we really want to test with live database... and dumping the service account credentials into a file is not always the best and safest approach.
Kind of happens a similar thing with the config variables, that you have to hit firebase functions:config:get > .runtimeconfig.json
so you can get them work. I don't think this should be the case if you're using the serve
command.
@JFGHT Thanks for the thoughts - there's definitely some unintended behavior going on here, we want isolation by default but with the option to access production if you like. The authentication aspect of this is a hard problem worked on by many teams so it's made tougher because everyone needs to stay on the same page, but we're working on it :)
In regards to creating and setting the default credential, there are other options (like supplying an environmental variable), but we're still in the process of communicating with folks to figure out what they recommend people to use so we know what to recommend you to use.
We'll definitely smooth this out so we'll keep updating here as we figure out what we're doing.
Hey @abeisgoat & @samtstern, thanks for your input.
Exporting GOOGLE_APPLICATION_CREDENTIALS
worked for a while but now after updating to firebase-tools@7.0.2
I am getting a different error:
Error: //developers.google.com/identity/sign-in/web/devconsole-project. Raw server response: "{"error":{"code":401,"message":"Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.","errors":[{"message":"Invalid Credentials","domain":"global","reason":"authError","location":"Authorization","locationType":"header"}],"status":"UNAUTHENTICATED"}}"
at FirebaseAuthError.FirebaseError [as constructor] (/Applications/MAMP/htdocs/debug/functions/node_modules/firebase-admin/lib/utils/error.js:42:28)
at FirebaseAuthError.PrefixedFirebaseError [as constructor] (/Applications/MAMP/htdocs/debug/functions/node_modules/firebase-admin/lib/utils/error.js:88:28)
at new FirebaseAuthError (/Applications/MAMP/htdocs/debug/functions/node_modules/firebase-admin/lib/utils/error.js:146:16)
at Function.FirebaseAuthError.fromServerError (/Applications/MAMP/htdocs/debug/functions/node_modules/firebase-admin/lib/utils/error.js:185:16)
at /Applications/MAMP/htdocs/debug/functions/node_modules/firebase-admin/lib/auth/auth-api-request.js:1139:49
at process._tickCallback (internal/process/next_tick.js:68:7)
Test Case is the same as above, but using firebase-tools@7.0.2
instead of 7.0.0
. If I downgrade to 7.0.0 it works. It works as well using the latest versions of firebase-admin
and firebase-functions
but stops working as soon as I update firebase-tools
to 7.0.2
.
It happens when using any firebase.admin.auth method that requires credentials. I can confirm that the service account works and the environment variable GOOGLE_APPLICATION_CREDENTIALS
is properly set (if not it would fail using 7.0.0)
Should I open a new issue or keep this one?
@jaschaio so to be clear you're getting issues with admin.auth
calls when running GOOGLE_APPLICATION_CREDENTIALS=... firebase serve
? And these issues only happen on 7.0.2
and above? If that's the case let's keep it in this issue.
Yes. Try the test case above. It works with 7.0.0
and fails with this error on 7.0.2
Error: //developers.google.com/identity/sign-in/web/devconsole-project. Raw server response: "{"error":{"code":401,"message":"Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.","errors":[{"message":"Invalid Credentials","domain":"global","reason":"authError","location":"Authorization","locationType":"header"}],"status":"UNAUTHENTICATED"}}"
at FirebaseAuthError.FirebaseError [as constructor] (/Applications/MAMP/htdocs/debug/functions/node_modules/firebase-admin/lib/utils/error.js:42:28)
at FirebaseAuthError.PrefixedFirebaseError [as constructor] (/Applications/MAMP/htdocs/debug/functions/node_modules/firebase-admin/lib/utils/error.js:88:28)
at new FirebaseAuthError (/Applications/MAMP/htdocs/debug/functions/node_modules/firebase-admin/lib/utils/error.js:146:16)
at Function.FirebaseAuthError.fromServerError (/Applications/MAMP/htdocs/debug/functions/node_modules/firebase-admin/lib/utils/error.js:185:16)
at /Applications/MAMP/htdocs/debug/functions/node_modules/firebase-admin/lib/auth/auth-api-request.js:1139:49
at process._tickCallback (internal/process/next_tick.js:68:7)
To help narrow the search, 7.0.1
doesn't throw this error for me.
I don't know if anyone else is dumb enough to try what I did,
But I fixed this issue by going to the Firebase console and creating a Service account from there instead of creating a Service account from the GCP IAM & Admin area. Then I initialized the project with:
var serviceAccount = require('./myproject-1234.json');
admin.initializeApp({
projectId: 'myproject',
credential: admin.credential.cert(serviceAccount),
});
Downgrading my firebase-tools
package to 7.0.0
fixes the problem for me.
npm i -g firebase-tools@7.0.0
Be sure you check you're on the right version. I had a funky setup not too long ago where 6.x was still creeping up after an update:
firebase --version
This seems fixed for me within firebase-tools@7.2.2
and making sure the environment variable GOOGLE_APPLICATION_CREDENTIALS
is set to a service account .json
file (Using the one from the Firebase Console)
@jaschaio yes that will work, however we want this to work with "application default" credentials so users don't have to think about service accounts in testing (just like you don't have to in production).
@samtstern Any update on that issue?
Using the following dependencies fixed it for me (with node 10)
"firebase-admin": "~8.6.0",
"firebase-functions": "^3.2.0",
Using the following dependencies fixed it for me (with node 10)
"firebase-admin": "~8.6.0", "firebase-functions": "^3.2.0",
It doesn't work for me. Still receive that error:
Credential implementation provided to initializeApp() via the "credential" property failed to fetch a valid Google OAuth2 access token with the following error: "Error fetching access token: Error while making request: getaddrinfo ENOTFOUND metadata.google.internal metadata.google.internal:80. Error code: ENOTFOUND".
GOOGLE_APPLICATION_CREDENTIALS=your_service_account.json firebase serve
works for me as suggested by @samtstern but would be nice to have it work locally just as it works when deployed.
I don't know if anyone else is dumb enough to try what I did,
But I fixed this issue by going to the Firebase console and creating a Service account from there instead of creating a Service account from the GCP IAM & Admin area. Then I initialized the project with:
var serviceAccount = require('./myproject-1234.json'); admin.initializeApp({ projectId: 'myproject', credential: admin.credential.cert(serviceAccount), });
Tried this one and it worked. Was using firebase-admin@8.10.0
and firebase-tools@8.16.2
This is still happening for me, and is pretty annoying. Everything else works with ADC (GCE, Firestore, GCS, etc.) but for some reason auth doesn't, and this is considered to be "working as intended". I can't always set GOOGLE_APPLICATION_CREDENTIALS
because that confuses some other things that need to use application-default credentials. So I'm forced to set it and unset it depending on which of my local admin tools I'm using! It's even more annoying because when I switch projects from dev to production it's just one more thing to have to remember to switch, and if it's silently out of sync from gcloud config get-value project
then I can accidentally update the wrong dataset.
Getting the Following Error when using
initializeApp()
within the functions emulator without a credentials file. This worked before onfirebase-tools@6.8.0
. Has this behaviour changed between6.8.0
and6.11.0
? If yes, why isn't it within the changelogs? The docs actually say now thatStill wondering why it wasn't necessary in
firebase-tools@6.8.0
Related issues
1299 seems related, but I am using
firebase serve
instead offirebase emulators:start
Environment info
firebase-tools: 6.11.0 Platform: macOSX 10.14.5 Node: 10.15.3 (but ocurring with 8.14.0 as well) firebase-functions: 2.3.1 firebase-admin: 8.0.0
Test case
A freshly generated firebase project using
firebase init
with functions. Installfirebase-admin@8.0.0
andfirebase-functions@2.3.1
. Make sure you are running the latestfirebase-tools@6.11.0
. Runnpm install --save grpc
to prevent #1341.Use Node
10.15.3
or8.14.0
and change thepackage.json
engines node to10
or8
respectively.Than edit the
functions/index.js
file copying and pasting the below:Steps to reproduce
Run
firebase serve
within the newly created project as described above. Than make a request to the exported/login
endpoint. The error will be thrown in the terminal console.Expected behavior
No error should be thrown. The emulator should automatically have sufficient credentials to use
firebaseAdmin.auth()
methods.Actual behavior
If I downgrade back to
firebase-tools@6.8.0
it works.