Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Firebase Functions Tasks: Firebase ID token has incorrect "aud" (audience) claim. #1136

Open
Neofield-Dylan opened this issue May 29, 2024 · 2 comments
Open

[BUG] Firebase Functions Tasks: Firebase ID token has incorrect "aud" (audience) claim. #1136

Neofield-Dylan opened this issue May 29, 2024 · 2 comments
Labels
type: bug

Comments

@Neofield-Dylan
Copy link

Which sample has a bug?

I implemented a firebase function v1 with nodejs to be a cron scheduler to enqueue a task to python v2 firebase functions cloud task deployed in the same GCP project.

I followed the firebase documentation to build the python firebase function task and to build a nodejs firebase function scheduler to enqueue it.

The problem is that I am getting authentication error when queuing:

ERROR:root:Error validating token: Firebase ID token has incorrect "aud" (audience) claim. Expected "project-Id" but got "https://mycloudtaskfunctionname-fgydghymbq-uc.a.run.app". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve ID token.

The error message does not make sense because the troubleshooting documentation states that:

If invoked by a service account, the audience claim (aud) of the Google-signed ID token must be set to the following:
- The Cloud Run URL of the receiving service, using the form https://service-xyz.run.app

It's clear by the log and the mentioned documentation that my nodejs cloud function is queuing with correct target uri.

But I can't understand why I still getting this authentication error as it's not performed by my python cloud functions as it's only prints the request data.

firebase CLI 13.4.1
nodejs 20.11.1
"firebase-admin": "^11.11.1",
"firebase-functions": "^4.5.0",
"google-auth-library": "^8.9.0",

Python 3.12

How to reproduce the issue

Implement queuing with firebase function v1 using nodejs.
Implement firebase function cloud task with python 3.12

Steps to set up and reproduce

Debug output

I overwrite to not show my project id and my firebase task functions name.

ERROR:root:Error validating token: Firebase ID token has incorrect "aud" (audience) claim. Expected "project-Id" but got "https://mycloudtaskfunctionname-fgydghymbq-uc.a.run.app". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve ID token.

Errors in the
console logs

Screenshots

Expected behavior

Python Firebase Cloud Task should expect audience as something like https://service-xyz.run.app

Actual behavior

Python Firebase Cloud Task expecting audience to be "my-project-Id"
@Neofield-Dylan
Copy link
Author

I find a related issue => firebase/firebase-functions-python#157
@Neofield-Dylan
Copy link
Author

I was using Python firebase-functions 0.1.2. Upgrading firebase-functions to 0.4.1 fixed the problem.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type: bug
1 participant
@Neofield-Dylan