OpenIdException(invalid_grant): Invalid JWT Signature in 0.1.3

[akfaisel]

Hi

Thank you for fixing state validation error.

Unfortunately, there is a new error coming from the new version 0.1.3 and error is given below.

Credential implementation provided to initializeApp() via the "credential" property failed to fetch a valid Google OAuth2 access token with the following error: "OpenIdException(invalid_grant): Invalid JWT Signature.". There are two likely causes: (1) your server time is not properly synced or (2) your certificate key file has been revoked. To solve (1), re-sync the time on your server. To solve (2), make sure the key ID for your key file is still present at https://console.firebase.google.com/iam-admin/serviceaccounts/project. If not, generate a key file at https://console.firebase.google.com/project/_/settings/serviceaccounts/adminsdk.

I have done the following.

1. Synced my time in my Windows 10 system.
2. Reconfirmed that the service key exists on the console and iam as well.
3. I have tried both the ways using service json file and credential methods on the example page.

[rbellens]

can you post the stack trace and example code that throws this?

[derfurth]

Hello, I have the same problem.

Here's some example code:

final credentials = Credentials.applicationDefault();
final token = await credentials.getAccessToken();

Flow._getToken (openid.dart:354)
<asynchronous gap>
Flow.callback (openid.dart:367)
ServiceAccountCredential.createCredential (credential.dart:125)
_OpenIdCredential.getAccessToken (credential.dart:142)
<asynchronous gap>
Harness._setupFirebase (app.dart:45)

The reply from the token endpoint (https://oauth2.googleapis.com/token) :
{error: invalid_grant, error_description: Invalid JWT Signature.}

The credentials are loaded from service-account.json just fine, and the time stamp of the jwt from ServiceAccountCredential._createAuthJwt() seems ok.
I generated another service key from the cloud console just in case - same problem.

Also maybe a related issue : exchanging a custom token for an ID and refresh token doesn't work for me (https://firebase.google.com/docs/reference/rest/auth#section-verify-custom-token)

Sending a token obtained from auth.createCustomToken(uid) get me an error code 400 'INVALID_CUSTOM_TOKEN'.

[derfurth]

I updated my service account this time with a key generated from the Firebase console instead of the Cloud Console , now everything works.
I have no idea why since the key is registered to the same client_email and everything looks the same (except for the new key of course)...

[akfaisel]

Sorry for the delay in replying. My code same as in your example code. I have tried with

1. Syncing time to the Windows server
2. Created new key from the Firebase console. The environment variable GOOGLE_APPLICATION_CREDENTIALS is set and it points to the newly generated key.

import 'package:firebase_admin/firebase_admin.dart';
import 'package:firebase_admin/src/credential.dart';

void main() async {

  var credential = Credentials.applicationDefault();

  credential ??= await Credentials.login();

  var projectId = 'mtm-res-dc441';
  // create an app
  var app = FirebaseAdmin.instance.initializeApp(AppOptions(
      credential: credential ?? Credentials.applicationDefault(),
      projectId: projectId,
      storageBucket: '$projectId.appspot.com'));

  try {
    // get a user by email
    var v = await app.auth().getUserByEmail('faisel@email.com');
    print(v.toJson());
  } on FirebaseException catch (e) {
    print(e.message);
  }

  await for (var v in app.storage().bucket().list()) {
    print(v.name);
  }
}

Here is the terminal error

PS D:\android\projects\mtm-res-dart-server> dart server.dart
'git' is not recognized as an internal or external command,
operable program or batch file.
Building flutter tool...
Running pub upgrade...
Credential implementation provided to initializeApp() via the "credential" property failed to fetch a valid Google OAuth2 access token with the following error: "OpenIdException(invalid_grant): Invalid JWT Signature.". There are two likely causes: (1) your server time is not properly synced or (2) your certificate key file has been revoked. To solve (1), re-sync the
time on your server. To solve (2), make sure the key ID for your key file is still present at https://console.firebase.google.com/iam-admin/serviceaccounts/project. If not, generate a key file at https://console.firebase.google.com/project/_/settings/serviceaccounts/adminsdk.
Unhandled exception:
FirebaseAppError(app/invalid-credential): Credential implementation provided to initializeApp() via the "credential" property failed to fetch a valid Google OAuth2 access token with the following error: "OpenIdException(invalid_grant): Invalid JWT Signature.". There are two likely causes: (1) your server time is not properly synced or (2) your certificate key file has been revoked. To solve (1), re-sync the time on your server. To solve (2), make sure the key ID for your key file is still present at https://console.firebase.google.com/iam-admin/serviceaccounts/project. If not, generate a key file at https://console.firebase.google.com/project/_/settings/serviceaccounts/adminsdk.
#0 FirebaseAppInternals.getToken. (package:firebase_admin/src/app/app.dart:109:9)
#1 _RootZone.runBinary (dart:async/zone.dart:1455:54)
#2 _FutureListener.handleError (dart:async/future_impl.dart:157:20)
#3 Future._propagateToListeners.handleError (dart:async/future_impl.dart:708:47)
#4 Future._propagateToListeners (dart:async/future_impl.dart:729:24)
#5 Future._completeError (dart:async/future_impl.dart:537:5)
#6 _AsyncAwaitCompleter.completeError (dart:async-patch/async_patch.dart:47:15)
#7 FirebaseAppInternals.getToken. (package:firebase_admin/src/app/app.dart)

#8 FirebaseAppInternals.getToken. (package:firebase_admin/src/app/app.dart)
#9 new Future.microtask. (dart:async/future.dart:201:37)
#10 _microtaskLoop (dart:async/schedule_microtask.dart:41:21)
#11 _startMicrotaskLoop (dart:async/schedule_microtask.dart:50:5)
#12 _runPendingImmediateCallback (dart:isolate-patch/isolate_patch.dart:118:13)
#13 _Timer._runTimers (dart:isolate-patch/timer_impl.dart:404:11)
#14 _Timer._handleMessage (dart:isolate-patch/timer_impl.dart:428:5)
#15 _RawReceivePortImpl._handleMessage (dart:isolate-patch/isolate_patch.dart:168:12)

[akfaisel]

Hey, it works now for me.

derfurth updated my service account this time with a key generated from the Firebase console instead of the Cloud Console , now everything works.

But I wanted to try the other way round. I created the service key from the Cloud Console instead of Firebase Console and it worked for me. Yahooooo!

[TimWhiting]

@akfaisel What was the change you made if any? I'm trying to generate a key from Cloud Console since I'm also using the googleapis package to use Cloud Tasks, so I need additional permissions beyond the firebase admin sdk.

[bedardjo]

This appears to happen with certain keys (maybe some character that's not parsed properly?). One workaround is to just generate keys until it works.

[zacharypuulsedev]

It looks like we're also being affected by this issue. Will try what @bedardjo has suggested and regenerate the keys.

The existing cert is definitely valid as it works to access firestore via a different package.