Firebase auth Emulator fails with IDP

Question

We have an app that is working fine in the Cloud with Google and Github as IDP.

When trying to work locally with the Emulator. The call to createSessionCookie fails with: FirebaseAuthError: There is no user record corresponding to the provided identifier

When I tried the following:

app.get('/console/sessionLogin', (req, res) => {

    const idToken = req.query.idToken;


    admin.auth().verifyIdToken(idToken)
        .then((result) => {
            console.log(">> VERIFY TOKEN = ", result);
        }, (error)=> {
            console.log(">>>> VERIFY FAILED ", error);
        });
});

I get this error: >>>> VERIFY FAILED FirebaseAuthError: Firebase ID token has invalid signature

---

Im starting the emulator with: GOOGLE_APPLICATION_CREDENTIALS=./service-auth.json FIREBASE_AUTH_EMULATOR_HOST=localhost:9099 firebase emulators:start

This is what I get when emulators start:

i  emulators: Starting emulators: auth, functions, firestore, hosting
⚠  functions: The following emulators are not running, calls to these services from the Functions emulator will affect production: database, pubsub
✔  functions: Using node@14 from host.
⚠  functions: Your GOOGLE_APPLICATION_CREDENTIALS environment variable points to ./service-auth.json. Non-emulated services will access production using these credentials. Be careful!
⚠  firestore: Did not find a Cloud Firestore rules file specified in a firebase.json config file.
⚠  firestore: The emulator will default to allowing all reads and writes. Learn more about this option: https://firebase.google.com/docs/emulator-suite/install_and_configure#security_rules_configuration.
i  firestore: Firestore Emulator logging to firestore-debug.log
i  hosting: Serving hosting files from: public
✔  hosting: Local server: http://localhost:8090
i  ui: Emulator UI logging to ui-debug.log
i  functions: Watching "/Users/.../functions" for Cloud Functions...
✔  functions[console]: http function initialized (http://localhost:5001/XXXX/us-central1/console).

┌─────────────────────────────────────────────────────────────┐
│ ✔  All emulators ready! It is now safe to connect your app. │
│ i  View Emulator UI at http://localhost:8091                │
└─────────────────────────────────────────────────────────────┘

┌────────────────┬────────────────┬─────────────────────────────────┐
│ Emulator       │ Host:Port      │ View in Emulator UI             │
├────────────────┼────────────────┼─────────────────────────────────┤
│ Authentication │ localhost:9099 │ http://localhost:8091/auth      │
├────────────────┼────────────────┼─────────────────────────────────┤
│ Functions      │ localhost:5001 │ http://localhost:8091/functions │
├────────────────┼────────────────┼─────────────────────────────────┤
│ Firestore      │ localhost:8080 │ http://localhost:8091/firestore │
├────────────────┼────────────────┼─────────────────────────────────┤
│ Hosting        │ localhost:8090 │ n/a                             │
└────────────────┴────────────────┴─────────────────────────────────┘
  Emulator Hub running at localhost:4400
  Other reserved ports: 4500

I added console.log to the auth class just before it makes the call and I see this:

>  SENDING AUTH REQUEST  {
>    method: 'POST',
>    url: 'http://localhost:9099/identitytoolkit.googleapis.com/v1/projects/XXXX:createSessionCookie',
>    headers: { 'X-Client-Version': 'Node/Admin/9.7.0' },
>    data: {
>      idToken: 'eyJhbGciOiJSUzI1NiIsImtpZCI6ImNjM2Y0ZThiMmYxZDAyZjBlYTRiMWJkZGU1NWFkZDhiMDhiYzUzODYiLCJ0eXAiOiJKV1QifQ.eyJuYW1lIjoiWW9hdiBOaXJhbiIsInBpY3R1cmUiOiJodHRwczovL2xoMy5nb29nbGV1c2VyY29udGVudC5jb20vYS0vQU9oMTRHajczX2tnUmQxVnBTV3Y2RzRrOU41ZHZLNkRESjJlaGZrUUhPN2w9czk2LWMiLCJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vbWVkaWEtZmxvdy1iMzdkMSIsImF1ZCI6Im1lZGlhLWZsb3ctYjM3ZDEiLCJhdXRoX3RpbWUiOjE2MjAyMTExOTMsInVzZXJfaWQiOiJFa2lhRUc0NXFoTU9Jbk5VT01IbHJOYVpuR24yIiwic3ViIjoiRWtpYUVHNDVxaE1PSW5OVU9NSGxyTmFabkduMiIsImlhdCI6MTYyMDIxMTE5MywiZXhwIjoxNjIwMjE0NzkzLCJlbWFpbCI6InlvYXZAY2xvdWRpbmFyeS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiZmlyZWJhc2UiOnsiaWRlbnRpdGllcyI6eyJnb29nbGUuY29tIjpbIjEwNzEwMTUyNzU2NTgzOTU0Nzg4MyJdLCJlbWFpbCI6WyJ5b2F2QGNsb3VkaW5hcnkuY29tIl19LCJzaWduX2luX3Byb3ZpZGVyIjoiZ29vZ2xlLmNvbSJ9fQ.grIXaGN9-Ue92EZqN7NNgoUo3vQF8zxApvHZ6IvucWIQOJKDMJnSxEvWGH6P7vg4ETQldgg1VtLNC-eRhE_417OJYKkqpTutsT6mihUgiAHmFoVWcrcgDFn0PSi0eznqFiYq36OpAJQo8CiaMIrFeyqrhe9qQUdhKvz-1XzksbsKc1gna-6yVcdaQtcEfsmmrMJnfK9MQ1MsE2_F3ooVzV5Ym1b_6cFNAilBPHThIVn7kZ64kTBqTOUon06PV3uD_Svv3X3B971cW9oXSnZGZDEJs6fP0vHyKhakFrNVNwcgbhPnJ7WIkNjh0WuG3yYMSNn8LauZMllHP2iV3nICAA',
>      validDuration: 432000
>    },
>    timeout: 25000
>  }

so it looks like the emulated auth service is failing when given the id token from the IDP...

Im not sure what else I'm missing. Havent been able to find anything online regarding this specific issue.

Last thing that might be relevant - im running on node 14.15.1

Answer 1

I had the same issue.

It turned out that the token I was trying to validate was actually coming from my production authentication instance and not the emulator.

To fix it, I had to tell my app to use the emulator for authentication instead:

const auth = firebase.auth();
auth.useEmulator("http://localhost:9099");

More information at here .