Skip to content

Support for creating custom tokens without service account credentials #175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Jul 12, 2018
Merged

Support for creating custom tokens without service account credentials #175

merged 12 commits into from
Jul 12, 2018

Conversation

hiranya911
Copy link
Contributor

@hiranya911 hiranya911 commented May 31, 2018
edited
Loading

Currently the SDK must be initialized with service account credentials in order to be able to call FirebaseAuth.createCustomToken(). With this PR, the SDK will attempt to sign custom tokens by calling the IAM service in the cloud when the service account credentials are not provided.

# Following will work in GCP managed runtimes where the Metadata service is present
firebase_admin.initialize_app()
token = auth.create_custom_token(uid)

# Following will work anywhere
options = {
    'service_account_id': '[email protected]',
}
firebase_admin.initialize_app(options=options)
token = auth.create_custom_token(uid)

go/firebase-admin-sign
go/firebase-admin-iam-sign

@hiranya911 hiranya911 requested a review from bjornick June 25, 2018 21:28
bjornick
bjornick requested changes Jun 25, 2018
View reviewed changes
firebase_admin/_token_gen.py Outdated

# If the SDK was initialized with a service account email, use it with the IAM service
# to sign bytes.
service_account = self.app.options.get('service_account_id')
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So we don't want them to be able to override the default GCE credentials?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this option is not specified, we fall back to discovering the serviceAccountId from the environment. So this is the case when a developer is overriding the default serviceAccountId with an explicitly specified one.

firebase_admin/auth.py
return token_generator.create_custom_token(uid, developer_claims)

try:
return token_generator.create_custom_token(uid, developer_claims)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like we are wrapping some calls with try catch (I assume because we now no longer assume that IAM calls work). How confident are you that you caught all the cases. This feels like it would be easy to miss one of these cases.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IAM dependency is introduced with this PR. create_custom_token() is the only method that uses it.

tests/test_token_gen.py
@@ -194,6 +198,61 @@ def test_noncert_credential(self, user_mgt_app):
with pytest.raises(ValueError):
auth.create_custom_token(MOCK_UID, app=user_mgt_app)

def test_sign_with_iam(self):
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

None of these test exercise the new error cases you added, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test_sign_with_iam_error below tests the failure case with a mock IAM error. I've added one more to emulate a service account ID discovery failure.

@hiranya911 hiranya911 assigned hiranya911 and unassigned bjornick Jun 25, 2018
@hiranya911 hiranya911 merged commit e4950a0 into master Jul 12, 2018
@hiranya911 hiranya911 deleted the hkj-jwt-sign branch July 12, 2018 18:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bjornick bjornick bjornick approved these changes

Assignees

@hiranya911 hiranya911

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hiranya911 @bjornick