search

firebase / firebase-tools

The Firebase Command Line Tools
MIT License
4.01k stars 928 forks source link

firebase auth:emulators have different json data additionalUserInfo profile at production #4756

Open rymesaint opened 2 years ago

rymesaint commented 2 years ago

[REQUIRED] Environment info

firebase-tools: 11.3.0

Platform: macOS

[REQUIRED] Test case

Login using emulator Login using firebase auth production

[REQUIRED] Steps to reproduce

[REQUIRED] Expected behavior

{at_hash: g-F0nYiggy_hbu8HhTKlPw, exp: 1658240233, azp: 143834371075-h8jqsht30aa13mtdct3tv0q5pp9tf4tn.apps.googleusercontent.com, nonce: GskHkFD0RDzqRhqreHGwocGdppgJP0tszXM34KFpQ44, picture: https://lh3.googleusercontent.com/a-/AFdZucqc4iha2GZgr-FD3Oy0MwZGwLwQGCAqbXW5BuASUw=s96-c, locale: en, iss: https://accounts.google.com, email_verified: true, sub: 104779650814885939520, aud: 143834371075-h8jqsht30aa13mtdct3tv0q5pp9tf4tn.apps.googleusercontent.com, family_name: Fauzan, iat: 1658236633, email: rymetutor@gmail.com, name: Ridwan Fauzan, given_name: Ridwan}

[REQUIRED] Actual behavior

{family_name: Fauzan, locale: en, id: 104779650814885939520, granted_scopes: openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email, verified_email: true, email: rymetutor@gmail.com, picture: https://lh3.googleusercontent.com/a-/AFdZucqc4iha2GZgr-FD3Oy0MwZGwLwQGCAqbXW5BuASUw=s96-c, given_name: Ridwan, name: Ridwan Fauzan}
lisajian commented 2 years ago

Hey there @rymesaint! Wanted to clarify that some of the claims that are missing are intentionally ignored by the Auth Emulator, e.g. exp, iat, at_hash - for more information about ignored fields, check out the inline documentation of this interface: https://github.com/firebase/firebase-tools/blob/ae788e76a8ea45e1c967bd6e37078a991c89dc6b/src/emulator/auth/operations.ts#L3308

Your issue does point out some unintentional behavior though, i.e. id claim should be the sub claim and verified_email should be email_verified. I'll open a PR that addresses those issues. Thanks for pointing this out!

lisajian commented 2 years ago

Just a quick update: Seems like the fields returned depends on what is used to sign in when signInWithIdp is invoked. The existing returned claims (aside from the ones that are intentionally ignored) are correct in certain cases and should be closer to what you're experiencing in other cases.

Since the scope of this is quite a bit larger than expected, I'm going to leave this issue open. I'll go ahead and file an internal bug for this in the meantime (Googler-only internal tracking bug: b/240451476). Let me know if/how this is negatively impacting you, and for other folks reading this, please thumbs up this comment so we know how to prioritize this bug. Thanks for your patience