-
-
Notifications
You must be signed in to change notification settings - Fork 438
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Support for ServiceAccountID in Custom Token Creation #971
Comments
The factory has a I hope I got this correctly - I'm currently on the road and can't look into it in detail, but if this isn't it, I will have a closer look once I can get back to my desk 🤞🏻 |
Thank you for your response. I understand you're busy, and there's no rush - please feel free to look into this whenever you have time.
When trying to verify this ID token in Project A, the verification fails because the token's |
Thank you for the detailed explanation, I really appreciate it! I will look into it! Please keep in mind that I have to implement it in a way that doesn't break backwards compatibility - it might be no problem, but I'll have to check, so, thank you for your patience! 🙏🏻 |
Thank you for your quick response! I completely understand about the backwards compatibility concerns. Please take your time to review and implement it properly. I really appreciate you looking into this request! 🙏 |
I've looked into it, and I'm not sure this is actually possible, in PHP at least (I looked into the official Admin SDKs but couldn't find something that helped me). The Custom Token Generator uses the credentials created with the help of the Are you sure just overriding the You mentioned how it's done in the Go Admin SDK, but this looks like the same initialization as in the PHP SDK - you give it a Service Account ID, and then the whole There are the GCECredentials provided by the I probably could make something work like $factory = new Factor();
$authForCurrentProject = $factory->createAuth();
$authForOtherProject = $factory->forServiceAccount($serviceAccountId)->createAuth(); but this would only work on GCE, and I don't know if it's even possible, because I would have to determine the GCE credentials myself instead of relying on And that's not even taking into account that I'm not sure I could implement this without breaking backward compatibility. I hope my ramblings somehow make sense, I'm writing this down as I'm looking into the Firebase Docs and the source code of the other SDKs. Perhaps this is something that could be made easier by introducing a code change in the PHP Perhaps I can figure out a solution when I look at it with a fresh mind (it's currently 2am where I am, and I spent a good 2h on this), but, at the moment, I'm not confident this can be done with the current setup. |
What I found were inpersonated and external service account credentials
But they seem to require service account JSONs with different |
Again, I could add a method like At least that's what I'm seeing right now - please let me know if I got something wrong. |
Thank you so much for spending a considerable amount of time investigating this, especially late at night! I really appreciate your thorough technical explanation and research. I was under the impression from the documentation that other SDKs allow separation between the service account ID used for token signing and the one used for Admin SDK operations. However, I'm now less confident about this understanding, especially considering the complexity around signature verification across different projects. I will look into alternative approaches on my end, so please don't spend any more time on this implementation. Thank you again for your detailed investigation and clear communication about the technical constraints! |
Thank you for providing more details and the link to the docs, this helped me figure things out a little better! 🙏🏻 Do I understand you correctly that you can create a custom token for project Auth::createCustomToken(Stringable|string $uid, array $claims = [], $ttl = 3600): UnencryptedToken {} to something like Auth::createCustomToken(Stringable|string $uid, array $claims = [], $ttl = 3600, string $serviceAccountID): UnencryptedToken {} From the top of my head, I could imagine it working like this: $factory = new Factory();
$defaultAuth = $factory->createAuth();
$authForCustomToken = $factory
->withClientEmailForCustomTokenGeneration('...')
->createAuth();
$dafaultCustomToken = $defaultAuth->createCustomToken('uid')
$customTokenForOtherServiceAccount = $authForCustomToken->createCustomToken('uid') Both instances of When using the Laravel Package or the Symfony bundle, it would be quite complicated to implement this, though :/ |
If you want, I can create a PR with the change proposed above so that you could test if that works - once we confirm that it does, I can make it as "pretty" as possible and figure out Laravel/Symfony later. |
I went ahead and created a PR, let's continue to iterate in the PR discussion 🙏🏻 |
Thank you so much for not only finding a potential solution but also creating a PR! I truly appreciate your dedication to making this work. Yes, your understanding is correct - we want to be able to sign custom tokens for project B using service account A. This is exactly what we're looking to achieve. I'll need some time to test the implementation. I'll provide feedback in the PR discussion once I've had a chance to try it out. Thank you again for all your help! 🙏 |
Describe the feature you would like to see
Thank you for your continuous development and maintenance of the Firebase PHP Admin SDK.
Feature Request Description
I would like to request support for specifying a service account ID when creating custom tokens, similar to how it's implemented in other Firebase Admin SDKs.
Current Situation
Currently, the Firebase PHP Admin SDK only supports creating custom tokens using the service account credentials loaded during initialization. There's no way to specify a different service account ID for token signing.
Proposed Feature
Add support for specifying a service account ID when creating custom tokens. This would allow using a different service account for token signing than the one used to initialize the SDK.
The feature would be particularly useful when running in Google-managed environments where you want to maintain consistency across different parts of your application by using a specific service account for token signing, without needing to include service account JSON files in your code.
Example Implementation (in Go)
Here's how it works in the Go Admin SDK:
Related Documentation
Using service account ID
Would love to hear your thoughts on this feature request. Thank you for considering it!
The text was updated successfully, but these errors were encountered: