在 firebase-admin 的 verifyIdToken 中更改预期的“受众”

Question

We are trying to implement a Google Sign-In button in our mobile app and send the idToken to our NodeJS server to complete the authentication process. The generation of the idToken on the mobile app works as expected but the verification of the token on the server-side with firebase-admin throws an audience mismatch error.

Method #1

Using the google-auth-library in our NodeJS server works as expected (minimal example):

import { OAuth2Client } from 'google-auth-library';

const client = new OAuth2Client(credentials.client_id);

(async () => {
    const ticket = await client.verifyIdToken({
            idToken: token,
            audience: [
                credentials.client_id,
                'xyz.apps.googleusercontent.com',   <===== clientId added here
            ],
        });

    const payload = ticket.getPayload();
    console.log(payload); //  GOOD! idToken verification successful!
})();

It works because we are manually adding the mobile's client id which is specified in the google-services.json of the mobile app.

Method #2

As we rather be using the firebase-admin package, we are wondering whether a similar audience addition can be made to the SDK's verifyIdToken method. Currently this does NOT work:

import admin from 'firebase-admin';

const serviceAccount = fs.readJsonSync('./service-account.json');

admin.initializeApp({
    credential: admin.credential.cert(serviceAccount),
});

(async () => {
    const userInfo = await admin.auth().verifyIdToken(token);
    console.log(userInfo);  // ERROR! Verification throws error!
})();

It throws the following error:

Error: Firebase ID token has incorrect "aud" (audience) claim. Expected "xyz-123" but got "xyz.apps.googleusercontent.com". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK

We've made several attempts with:

1. changing the m clientId in the Sign-In with Google component on mobile.
2. Changing the values in the nodeJs service account.

The result of those attempts was either the token was not being generated or we encountered the described mismatch verification error.

Regarding adding the audience value manually as described under Method #1 , it seems the source code does not offer a way to supply more audiences.

1. Could there be reason why the option to add audiences is omitted in firebase-admin and available in google-auth-library ?
2. Is there a different way to change the expected audiences while verifying id tokens with the firebase-admin package?

Answer 1

I just had a similar problem and solved it by using

// gets firebase id token
const idToken = await result.user.getIdToken();

instead of

// gets original id token
const idToken = await GoogleAuthProvider.credentialFromResult(result).idToken;