[FR] Verifying emulated ID Tokens and creating session cookies only works in the Functions Emulator

[favsss]

[REQUIRED] Environment info

firebase-tools: 8.14.1

Platform: Windows 10

[REQUIRED] Test case

Currently emulating a scenario where a signed in user sends userToken from frontend and backend decoded this token and retrieves uid for fetching data from database.

const firebase = require('firebase/app');
require('firebase/auth');

const config = require('./config/firebaseConfig.json');

const firebaseConfig = {
  apiKey: config.apiKey,
  authDomain: config.authDomain,
  databaseURL: config.projectId,
  projectId: config.projectId,
  storageBucket: config.storageBucket,
  messagingSenderId: config.messagingSenderId,
  appId: config.appId,
  measurementId: config.measurementId
};

firebase.initializeApp(firebaseConfig);
firebase.auth().useEmulator("http://localhost:9099/");

const serviceAccountKey = require('./config/serviceAccountKey.json');

const admin = require('firebase-admin');

const databaseUrl = `http://localhost:9000/?ns=${config.projectId}`;
admin.initializeApp({
  credential: admin.credential.cert(serviceAccountKey),
  databaseURL: databaseUrl
});

const perform = async() => {
  const email = "test3@gmail.com";
  const password = "password";
  await admin.auth().createUser({
    email: email,
    password: password
  });

  await firebase.auth().signInWithEmailAndPassword(email, password);
  const userToken = await firebase.auth().currentUser.getIdToken();

  // code fails here where admin is supposed to successfully verify id token
  await admin.auth().verifyIdToken(userToken);
};

perform();

[REQUIRED] Steps to reproduce

make sure that the following node packages are installed and firebase emulators for auth, firestore, and database are enabled:

 npm install -g firebase-tools
 npm install --save firebase
 npm install --save firebase-admin

[REQUIRED] Expected behavior

The userToken is decoded properly so that uid is extracted from the token for fetching data.

[REQUIRED] Actual behavior

It fails with Firebase ID token has no "kid" claim. The code is working normally except when using emulator.

WARNING: You are using the Auth Emulator, which is intended for local testing only.  Do not use with production credentials.
(node:24084) UnhandledPromiseRejectionWarning: Error: Firebase ID token has no "kid" claim. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.
    at FirebaseAuthError.FirebaseError [as constructor]

[mjroeleveld]

I'm running into this as well. I can't verify idTokens created by the emulator.

[samtstern]

@favs-sama where are you running the admin code?

Right now verifyIdToken() for auth emulator tokens only works inside the Functions emulator. This is out of a concern for security, short-circuiting verifyIdToken() is obviously dangerous if it accidentally happens in production so right now we only allow it in the Functions emulator, which we can control fully.

[favsss]

@samtstern originally i'm running the admin code verifyIdToken() in a backend prehandler function for handling user authorization; so, no i'm not running this inside a firebase function. although is there any other way to approach this kind of testing if currently verifyIdToken() for auth emulator is only accessible via functions emulator?

[samtstern]

@favs-sama yeah right now the only way to test this is inside the Functions emulator. We do want to change this eventually but it requires us to build in a more secure version of verifyIdToken() that would be less dangerous to your server in the event of a configuration mistake!

So for now I'll consider this a feature request.

[malcolmdeck]

I've created b/172262218 to track this feature request internally

[ricardoatsouza]

Also running into this. Will be watching this issue.

[samtstern]

I changed the name of this issue to more accurately reflect the feature request and include the use case from #2770

[AudunWA]

I'd need to verify/decode the token with the emulator as well.

[daniel-tucano]

@favs-sama where are you running the admin code?

Right now verifyIdToken() for auth emulator tokens only works inside the Functions emulator. This is out of a concern for security, short-circuiting verifyIdToken() is obviously dangerous if it accidentally happens in production so right now we only allow it in the Functions emulator, which we can control fully.

I was planing to use the auth emulator to do tests without some weird workarounds required at the moment. I think that this behaviour (or at least some imitation of it) should be implemented for testing purposes. This also should have been mentioned at the documentation, would have saved me some time haha