[英]Changing expected `audience` in firebase-admin's verifyIdToken
We are trying to implement a Google Sign-In button in our mobile app and send the idToken to our NodeJS
server to complete the authentication process.我们正在尝试在我们的移动应用程序中实现一个Google 登录按钮,并将idToken发送到我们的NodeJS
服务器以完成身份验证过程。 The generation of the idToken
on the mobile app works as expected but the verification of the token on the server-side with firebase-admin throws an audience mismatch error.移动应用程序上idToken
的生成按预期工作,但在服务器端使用firebase-admin验证令牌会引发受众不匹配错误。
Using the google-auth-library in our NodeJS server works as expected (minimal example):在我们的 NodeJS 服务器中使用google-auth-library按预期工作(最小示例):
import { OAuth2Client } from 'google-auth-library';
const client = new OAuth2Client(credentials.client_id);
(async () => {
const ticket = await client.verifyIdToken({
idToken: token,
audience: [
credentials.client_id,
'xyz.apps.googleusercontent.com', <===== clientId added here
],
});
const payload = ticket.getPayload();
console.log(payload); // GOOD! idToken verification successful!
})();
It works because we are manually adding the mobile's client id
which is specified in the google-services.json
of the mobile app.它之所以有效,是因为我们手动添加了在移动应用程序的google-services.json
中指定的移动client id
。
As we rather be using the firebase-admin package, we are wondering whether a similar audience
addition can be made to the SDK's verifyIdToken
method.由于我们宁愿使用 firebase -admin package,我们想知道是否可以对 SDK 的verifyIdToken
方法添加类似的audience
。 Currently this does NOT work:目前这不起作用:
import admin from 'firebase-admin';
const serviceAccount = fs.readJsonSync('./service-account.json');
admin.initializeApp({
credential: admin.credential.cert(serviceAccount),
});
(async () => {
const userInfo = await admin.auth().verifyIdToken(token);
console.log(userInfo); // ERROR! Verification throws error!
})();
It throws the following error:它抛出以下错误:
Error: Firebase ID token has incorrect "aud" (audience) claim.错误:Firebase ID 令牌的“aud”(观众)声明不正确。 Expected "xyz-123" but got "xyz.apps.googleusercontent.com".预期为“xyz-123”,但得到的是“xyz.apps.googleusercontent.com”。 Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK确保 ID 令牌来自与用于验证此 SDK 的服务帐户相同的 Firebase 项目
We've made several attempts with:我们做了几次尝试:
clientId
in the Sign-In with Google
component on mobile.在移动设备上更改Sign-In with Google
组件中的 m clientId
。nodeJs
service account.更改nodeJs
服务帐户中的值。The result of those attempts was either the token was not being generated or we encountered the described mismatch verification error.这些尝试的结果是未生成令牌,或者我们遇到了所描述的不匹配验证错误。
Regarding adding the audience value manually as described under Method #1 , it seems the source code does not offer a way to supply more audiences.关于按照方法 #1中所述手动添加受众值, 源代码似乎没有提供提供更多受众的方法。
firebase-admin
and available in google-auth-library
?是否有理由在firebase-admin
中省略添加受众的选项并在google-auth-library
中提供?audiences
while verifying id tokens
with the firebase-admin
package?在使用 firebase firebase-admin
package 验证id tokens
时,是否有其他方法可以更改预期audiences
?I just had a similar problem and solved it by using我刚刚遇到了类似的问题并通过使用解决了
// gets firebase id token
const idToken = await result.user.getIdToken();
instead of代替
// gets original id token
const idToken = await GoogleAuthProvider.credentialFromResult(result).idToken;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.