Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Official support for integration with firebase-admin and google-auth-library ExternalAccountClient. #1322

Open
LumaKernel opened this issue Nov 21, 2021 · 4 comments
Open

Feature Request: Official support for integration with firebase-admin and google-auth-library ExternalAccountClient. #1322

LumaKernel opened this issue Nov 21, 2021 · 4 comments
Assignees
@danielbankhead
Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@LumaKernel
Copy link

LumaKernel commented Nov 21, 2021
edited
Loading

Is your feature request related to a problem? Please describe.
firebase-admin requires credential in STS response format, but it is not exposed:

https://github.com/LumaKernel/google-auth-library-nodejs/blob/21a91c2c6e5317e6f6e2e8709bca2953999f98d4/src/auth/baseexternalclient.ts#L432-L432

We can calculate STS response from cachedAccessToken that is calculated from above, but it is private field.

Describe the solution you'd like
Exposing cached STS response, and optionally, exposing cachedAccessToken.

Describe alternatives you've considered
Only storing cached STS response and make cachedAccessToken getter.

Additional context

Workaround:

import admin from 'firebase-admin'
import type { GoogleOAuthAccessToken } from 'firebase-admin/app'
import type { FooAccountClient, Credentials as GoogleAPICredentials } from 'google-auth-library'

// Converting to original STS response format.
const convertToFirebaseCredential = (gapiCred: GoogleAPICredentials): GoogleOAuthAccessToken => {
  const { access_token, expiry_date } = gapiCred
  if (typeof access_token !== 'string')
    throw new Error('Google auth credential without access_token is incompatible')
  if (typeof expiry_date !== 'number')
    throw new Error('Google auth credential without expiry_date is incompatible')
  return {
    access_token,
    // inverse opertation of following
    // https://github.com/googleapis/google-auth-library-nodejs/blob/5ed910513451c82e2551777a3e2212964799ef8e/src/auth/baseexternalclient.ts#L446-L446
    expires_in: Math.floor((expiry_date - new Date().getTime()) / 1000),
  }
}

// Usage example
const createApp = async () => {
  const client = new FooAccountClient({ /* ... */ });
  const credential = {
    getAccessToken: async () => {
      await client.getAccessToken()
      // cachedAccessToken is private
      const gapiCred: GoogleAPICredentials = (client as any).cachedAccessToken
      return convertToFirebaseCredential(gapiCred)
    },
  };
  admin.initializeApp({
    // ...
    credential,
  });
}

It is real working workaround in our project.
@LumaKernel LumaKernel mentioned this issue Nov 21, 2021
Merged
27 tasks
@yoshi-automation yoshi-automation added the triage me I really want to be triaged. label Nov 22, 2021
@bcoe bcoe added the type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. label Nov 22, 2021
@bcoe
Copy link
Contributor

bcoe commented Nov 22, 2021

@hiranya911, @lahirumaramba, I'm not very familiar with firebase-admin, I don't suppose you have any thoughts as to what the interface should look like to make it easier to integrate google-auth-library?

Would happily take a patch.

@yoshi-automation yoshi-automation removed the triage me I really want to be triaged. label Nov 22, 2021
gcf-owl-bot bot added a commit that referenced this issue Jan 10, 2022
@gcf-owl-bot
test(nodejs): remove 15 add 16 (#1322)
c1c4fb5 
Source-Link: googleapis/synthtool@6981da4
Post-Processor: gcr.io/cloud-devrel-public-resources/owlbot-nodejs:latest@sha256:3563b6b264989c4f5aa31a3682e4df36c95756cfef275d3201508947cbfc511e
bcoe pushed a commit that referenced this issue Jan 11, 2022
@gcf-owl-bot
test(nodejs): remove 15 add 16 (#1322) (#1346)
58c53b4 
Source-Link: googleapis/synthtool@6981da4
Post-Processor: gcr.io/cloud-devrel-public-resources/owlbot-nodejs:latest@sha256:3563b6b264989c4f5aa31a3682e4df36c95756cfef275d3201508947cbfc511e

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
@jpike88
Copy link

jpike88 commented May 28, 2022
edited
Loading

????? @bcoe you literally work for Google. How do you not have a contact at the Firebase team that can help dive in and make things right?

I've spent many many hours to diagnose and create the below issue, it seems like this lib and firebase's auth lib are on different planets, and for no good reason.

#1418

@irunika
Copy link

irunika commented Feb 11, 2023
edited
Loading

Do we have an idea of when this is going to release?
Are you saying we cannot verify a user if we are using the identity platform for the users?

Also, I tried to implement the workaround that is mentioned in #1322 (comment).
But FooAccountClient is not available in google-auth-library and I think it is a place holder. Which client should I use for the identity platform?

"firebase-admin": "^11.5.0",
"google-auth-library": "^8.7.0"

Can someone please point me to the correct version for the provided workaround?
All other services we have are running on GCP and we need to implement authentication for the app ASAP and this has become a blocker to proceed with our work in limited time.

@danielbankhead
Copy link
Contributor

Current WIP:

@danielbankhead danielbankhead self-assigned this Feb 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danielbankhead danielbankhead

Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@bcoe @irunika @jpike88 @danielbankhead @LumaKernel @yoshi-automation