Trying to authenticate a service account with firebase-admin from a Cloud Scheduler call? Error: Firebase ID token has incorrect "iss" (issuer) claim

Question

I'm trying to authenticate an API call made to my server (on Cloud Run) from a Cloud Scheduler cron job.

I'm trying to use a service account to this.

Note: this is all happening inside the same Project.

References:

• https://cloud.google.com/scheduler/docs/http-target-auth

This is what I'm doing:

STEP 1 - Create the service account

I went to https://console.cloud.google.com/apis/credentials and created a new service account. I've assigned the role as owner.

STEP 2 - Create the cron job.

I went to https://console.cloud.google.com/cloudscheduler to create the cron job like I always do.

In the service account field I've put my service account e-mail. In the Audience field, I've put my project id because at some point I got an error saying that it was expecting it to be the name of my project id.

This was the error:

Firebase ID token has incorrect "aud" (audience) claim. Expected "PROJECT_ID"

STEP 3 - Running the job and identify decoding the token:

This is the code on my server:

import * as admin from "firebase-admin";

admin.initializeApp({
  credential: admin.credential.cert(
    // THIS IS THE DEFAULT FIREBASE-ADMIN SERVICE ACCOUNT
    // THAT IS AUTOMATICALLY CREATED BY FIREBASE
    SERVICE_ACCOUNT as admin.ServiceAccount
)});

// THIS IS THE CODE THAT IS INSIDE MY SERVER TRYING TO VERIFY THE SERVICE ACCOUNT

try {
  const authHeader = req.headers.authorization;
  console.log(`authHeader: ${authHeader}`);
  if (authHeader) {
    const idToken = authHeader.split(" ")[1];   // GETS THE USER ID TOKEN
    const decodedToken = await admin.auth().verifyIdToken(idToken);
    console.log(`decodedToken: ${decodedToken}`);
  }
}

And this is the error I'm currently getting:

Firebase ID token has incorrect "iss" (issuer) claim. Expected "https://securetoken.google.com/"my-project-id" but got "https://accounts.google.com". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.

Is there anything wrong with the way I'm doing it? Should I not be using firebase-admin to this?

Should I be using google-auth-library to verify the token?

• https://github.com/googleapis/google-auth-library-nodejs#verifying-id-tokens
• https://developers.google.com/identity/sign-in/web/backend-auth

question from:https://stackoverflow.com/questions/65937065/trying-to-authenticate-a-service-account-with-firebase-admin-from-a-cloud-schedu

Answer 1

After a morning in hell trying to debug this, here is what I've found.

It seems that firebase-admin's admin.auth().verifyIdToken() only works for tokens generated from the firebase SDK.

I got it to work by using the google-auth-library directly.

I did the following.

NOTE: The rest of the code is the same (using the same service account as described in the question):

import { OAuth2Client } from "google-auth-library";

export const apiExpressRouteHandler: RequestHandler = async (req, res) => {
  try {

    const PROJECT_ID = process.env.PROJECT_ID;

    const authHeader = req.headers.authorization;
    if (authHeader) {
      const client = new OAuth2Client(PROJECT_ID);
      const ticket = await client.verifyIdToken({
        idToken: authHeader.split(" ")[1],
        audience: PROJECT_ID
      });

      // LOGGING ticket PROPERTIES

      console.log(`userId: ${JSON.stringify(ticket.getUserId())}`);
      console.log(`payload: ${JSON.stringify(ticket.getPayload())}`);
      console.log(`envelope: ${JSON.stringify(ticket.getEnvelope())}`);
      console.log(`attributes: ${JSON.stringify(ticket.getAttributes())}`);
    }

    // REST OF THE CODE
  }
} 
catch(err) {
  // ...
}

I'm not sure if the PROJECT_ID is necessary to initialize the client with new OAuth2Client(PROJECT_ID); but it is working like this.