Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

quota_project_id ignored when loading local credentials file containing authorized_user credentials. #2106

Closed
JayStGelais opened this issue Mar 10, 2023 · 3 comments
Closed

quota_project_id ignored when loading local credentials file containing authorized_user credentials. #2106

JayStGelais opened this issue Mar 10, 2023 · 3 comments
Assignees
@lahirumaramba
Labels
api: core type: feature request

Comments

@JayStGelais
Copy link

JayStGelais commented Mar 10, 2023
edited
Loading

[READ] Step 1: Are you in the right place?

  • For issues related to the code in this repository file a Github issue.
  • If the issue pertains to Cloud Firestore, read the instructions in the "Firestore issue"
    template.
  • For general technical questions, post a question on StackOverflow
    with the firebase tag.
  • For general Firebase discussion, use the firebase-talk
    google group.
  • For help troubleshooting your application that does not fall under one
    of the above categories, reach out to the personalized
    Firebase support channel.

[REQUIRED] Step 2: Describe your environment

  • Operating System version: OSX 12.6.3
  • Firebase SDK version: 11.5.0
  • Firebase Product: auth
  • Node.js version: v16.19.1
  • NPM version: 8.19.3

[REQUIRED] Step 3: Describe the problem

Steps to reproduce:

When initailizing the firebase application using the application default credentials, the value for quota_project_id in the credentials file is ignored (relevent code), thus not adding the x-goog-user-project header to API requests.

Thus when testing application features locally that include verification of firebase issued JWTs, using my default user credentials with a quota project set, I get an API error stating the following:

UnauthorizedException: //cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters. Raw server response: "{"error":{"code":403,"message":"Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the identitytoolkit.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters.","errors":[{"message":"Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the identitytoolkit.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters.","domain":"usageLimits","reason":"accessNotConfigured","extendedHelp":"https://console.developers.google.com"}],"status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"SERVICE_DISABLED","domain":"googleapis.com","metadata":{"consumer":"projects/32555940559","service":"identitytoolkit.googleapis.com"}}]}}"

This behavior is different than the Java version of the admin SDK where the quota_project_id is honored.

Relevant Code:

Sample call to initialize applications. Depends on ADC being set at ~/.config/gcloud/application_default_credentials.json

const app = firebase.initializeApp({
  credential: firebase.credential.applicationDefault(),
  projectId: config.projectId,
});
@lahirumaramba
Copy link
Member

This sounds like a duplicate of #1854

We are currently in the process of migrating the credentials handling to google-auth-library-nodejs, which should fix this and a bunch of other issues. :) #1377. I can't promise you a timeline on this, but this is one of our highest priority tasks this year.

In the meantime, if you would like to submit a fix to the existing implementation we would be happy to review any PRs. Thanks!

@lahirumaramba lahirumaramba self-assigned this Mar 10, 2023
@is2ei is2ei mentioned this issue Oct 17, 2023
Closed
@foxrafa
Copy link
Contributor

foxrafa commented May 13, 2024

I submitted a fix here #2553

@lahirumaramba
Copy link
Member

#2553 is now included in the v12.2.0 release. This will act as a stopgap until we complete the credentials migration to google-auth library.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lahirumaramba lahirumaramba

Labels
api: core type: feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lahirumaramba @JayStGelais @foxrafa @google-oss-bot