Firebase requires reauth for Google Workspace Accounts

[RafaelZasas]

[REQUIRED] Environment info

firebase-tools: v13.5.2

Platform: Ubuntu 23.10

[REQUIRED] Test case

Login to firebase tools with workspace account, wait for oauth refresh token to expire (seems like it only takes an hour), and try to use any firebase-tools command.

[REQUIRED] Steps to reproduce

Sign in to firebase-tools with a google workspace account.

Use firebase-tools as normal.

Wait a couple hours, firebase-tools breaks:
FirebaseCommandException: An error occured on the Firebase CLI when attempting to run a command.
From the log:

[debug] [2024-03-21T09:54:19.248Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[debug] [2024-03-21T09:54:19.248Z] > authorizing via signed-in user (admin@<my_domain>)
[debug] [2024-03-21T09:54:19.251Z] > refreshing access token with scopes: []
[debug] [2024-03-21T09:54:19.251Z] >>> [apiv2][query] POST https://www.googleapis.com/oauth2/v3/token [none]
[debug] [2024-03-21T09:54:19.252Z] >>> [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]
[debug] [2024-03-21T09:54:19.706Z] <<< [apiv2][status] POST https://www.googleapis.com/oauth2/v3/token 400
[debug] [2024-03-21T09:54:19.706Z] <<< [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]
[debug] [2024-03-21T09:54:19.706Z] Authentication Error: Your credentials are no longer valid. Please run firebase login --reauth

For CI servers and headless environments, generate a new token with firebase login:ci
[debug] [2024-03-21T09:54:20.110Z] FirebaseError: Authentication Error: Your credentials are no longer valid. Please run firebase login --reauth

Running firebase login yields:

Already logged in as admin@<my_domain>

[REQUIRED] Expected behavior

Since this issue is not present with my personal account, I assume there are some settings set by Google Admin Console. I have checked the Google Cloud session control and the App Access Control and there is no way to mark firebase cli as a trusted application, or extend the validation time for the oath token.

I expect to be able to login once, and have a valid refresh token for at least the same length of time as my other google services, but would ideally not have to log in again since I do not have to with my personal account.

[REQUIRED] Actual behavior

In order to get firebase-tools working again, I have to run firebase-login --reauth which although, on the surface doesn't seem like a big deal, but it gets annoying to do every single day, and sometimes even after a short lunch break too.

11:56:48 ❯ firebase projects:list --debug
[2024-03-21T10:01:51.933Z] Field ".functions" in "firebase.json" is possibly invalid: should be object
[2024-03-21T10:01:51.934Z] Field ".functions[0].runtime" in "firebase.json" is possibly invalid: should be equal to one of the allowed values
[2024-03-21T10:01:51.934Z] Field ".functions" in "firebase.json" is possibly invalid: should match some schema in anyOf
[2024-03-21T10:01:51.935Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[2024-03-21T10:01:51.935Z] > authorizing via signed-in user (admin@<my_domain>)
⠋ Preparing the list of your Firebase projects[2024-03-21T10:01:51.937Z] > refreshing access token with scopes: []
[2024-03-21T10:01:51.938Z] >>> [apiv2][query] POST https://www.googleapis.com/oauth2/v3/token [none]
[2024-03-21T10:01:51.938Z] >>> [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]
⠧ Preparing the list of your Firebase projects[2024-03-21T10:01:52.516Z] <<< [apiv2][status] POST https://www.googleapis.com/oauth2/v3/token 400
[2024-03-21T10:01:52.516Z] <<< [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]
[2024-03-21T10:01:52.516Z] Authentication Error: Your credentials are no longer valid. Please run firebase login --reauth

For CI servers and headless environments, generate a new token with firebase login:ci
✖ Preparing the list of your Firebase projects
[2024-03-21T10:01:52.920Z] FirebaseError: Authentication Error: Your credentials are no longer valid. Please run firebase login --reauth

For CI servers and headless environments, generate a new token with firebase login:ci
    at invalidCredentialError (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/auth.js:142:12)
    at refreshTokens (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/auth.js:515:15)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Client.getAccessToken (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/apiv2.js:161:22)
    at async Client.addAuthHeader (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/apiv2.js:152:21)
    at async Client.request (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/apiv2.js:105:34)
    at async getProjectPage (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/management/projects.js:238:17)
    at async getFirebaseProjectPage (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/management/projects.js:255:23)
    at async listFirebaseProjects (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/management/projects.js:286:29)
    at async Command.actionFn (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/commands/projects-list.js:51:20)

Error: Failed to list Firebase projects. See firebase-debug.log for more info.

Also note, the log says that there is an issue with the runtime property in the functions object of firebase.json.
I know that this property is in the docs, and it is the only way to get firebase functions with python to run locally in emulators since I do not have python 3.12 installed on my system, I have to specify runtime of python311. Thats another issue entirely though.

[google-oss-bot]

This issue does not have all the information required by the template. Looks like you forgot to fill out some sections. Please update the issue with more information.

[joehan]

Hey @RafaelZasas - thanks for reporting this! I see two improvements we culd make here:
1 - We should throw a clearer error when using expired credentials that prompts you to run the reauth command.
2 - We should offer firebase CLI as a trusted app in Google Admin Console.

1 I'll take a crack at when I have some free time soon. 2 will likely be longer, since we'll need to escalate to Google Workspaces team.

[cmjordan42]

Yeah, this is pretty bad that Google and Google don't work together. Signing in with my Google Workspaces account also seems to have bound me to now ALWAYS login with an account under that Google Workspaces @my.domain - certainly not something I asked it to do - so it prevents me from logging in to one of my Firebase admin non-Workspace accounts in order to work around this bug.

I can't imagine it's that foreign for Firebase developers to also use Google Workspaces... I assumed that I hadn't configured something on Workspaces properly and it was being overly restrictive until I found this issue reported.

Please escalate this to Google Workspaces if you haven't already.

[joehan]

Hey @cmjordan42 - could you expand a bit on:

Signing in with my Google Workspaces account also seems to have bound me to now ALWAYS login with an account under that Google Workspaces @my.domain - certainly not something I asked it to do - so it prevents me from logging in to one of my Firebase admin non-Workspace accounts in order to work around this bug.

What does this actually look like for you? When you run 'firebase login', are you not able to login with @gmail.com accounts? Do you see a different login screen?

[cmjordan42]

Sure.

1. firebase login --reauth gives a URL to accounts.google.com oauth
2. The sign in page displays a prompt on the left side Choose an account from myworkspacedomain.com, despite it launching in Chrome that has a) multiple accounts authenticated with Google accounts; b) a Gmail account logged in to Chrome (not the account or domain in question)
3. The right side has only me@myworkspacedomain.com as a user selection option, with Use another account below it.
4. Attempting to Use another account yields a sign in page where it's prompting for me to enter my email but with a forced (immutable) @myworkspacedomain.com domain to the email

[jibongil]

It was a lot of trial and error for me, I hope this helps someone.

1. Download firebase cli for windows

2. (If there is a folder) delete C:\Users(User).cache\firebase

3. Change the download file file name to firebase-win.exe and move it to C:\ path.

4. After running Powershell, run the following command and perform authentication.
   C:\> ./firebase-win.exe login:ci

5. (Important!) Copy the firebase-win.exe executable file to the Flutter project path and change the file name to firebase.exe (*When running the flutterfire configure command, (perhaps) it searches for firebase.exe and if it is not recognized, the error below will occur. )

D:\flutter_project> flutterfire configure
⠙ Fetching available Firebase projects...
FirebaseCommandException: An error occured on the Firebase CLI when attempting to run a command.
COMMAND: firebase --version
ERROR: The FlutterFire CLI currently requires the official Firebase CLI to also be installed, see https://firebase.google.com/docs/cli#install_the_firebase_cli for how to install it.

6. Run flutterfire configure command to create firebase_options.dart file

[RafaelZasas]

Hey @RafaelZasas - thanks for reporting this! I see two improvements we culd make here: 1 - We should throw a clearer error when using expired credentials that prompts you to run the reauth command. 2 - We should offer firebase CLI as a trusted app in Google Admin Console.

1 I'll take a crack at when I have some free time soon. 2 will likely be longer, since we'll need to escalate to Google Workspaces team.

Hi @joehan Is there a status update on adding firebase CLI as a trusted app?

[Bullfrog1234]

Why is firebase-tools not requesting and using a refresh token. The hour long token is a standard access token length for lots of applications (including firebase auth). So, when using --reauth you are effectively starting the consent process from scratch like you have never gotten a token.

This is the only app that i have had issues with Google Workspace and never had to do anything to our Google Workspace to make it work.

Or am i missing something about this?