[BUG] Firebase Functions Tasks: Firebase ID token has incorrect "aud" (audience) claim.
Neofield-Dylan opened this issue · 4 comments
Which sample has a bug?
I implemented a firebase function v1 with nodejs to be a cron scheduler to enqueue a task to python v2 firebase functions cloud task deployed in the same GCP project.
I followed the firebase documentation to build the python firebase function task and to build a nodejs firebase function scheduler to enqueue it.
The problem is that I am getting authentication error when queuing:
ERROR:root:Error validating token: Firebase ID token has incorrect "aud" (audience) claim. Expected "project-Id" but got "https://mycloudtaskfunctionname-fgydghymbq-uc.a.run.app". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve ID token.
The error message does not make sense because the troubleshooting documentation states that:
If invoked by a service account, the audience claim (aud) of the Google-signed ID token must be set to the following:
- The Cloud Run URL of the receiving service, using the form https://service-xyz.run.app
It's clear by the log and the mentioned documentation that my nodejs cloud function is queuing with correct target uri.
But I can't understand why I still getting this authentication error as it's not performed by my python cloud functions as it's only prints the request data.
firebase CLI 13.4.1
nodejs 20.11.1
"firebase-admin": "^11.11.1",
"firebase-functions": "^4.5.0",
"google-auth-library": "^8.9.0",
Python 3.12
How to reproduce the issue
Implement queuing with firebase function v1 using nodejs.
Implement firebase function cloud task with python 3.12
Steps to set up and reproduce
Debug output
I overwrite to not show my project id and my firebase task functions name.
ERROR:root:Error validating token: Firebase ID token has incorrect "aud" (audience) claim. Expected "project-Id" but got "https://mycloudtaskfunctionname-fgydghymbq-uc.a.run.app". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve ID token.
Errors in the
console logs
Screenshots
Expected behavior
Python Firebase Cloud Task should expect audience as something like https://service-xyz.run.app
Actual behavior
Python Firebase Cloud Task expecting audience to be "my-project-Id"
I find a related issue => firebase/firebase-functions-python#157
I was using Python firebase-functions 0.1.2. Upgrading firebase-functions to 0.4.1 fixed the problem.
+1
+1