Firebase Auth ID token has incorrect "aud" claim
Asked Answered
B

10

45

I'm trying to verify an idToken backend. The user has successfully logged in to firebase client side but when I try to verify the idToken on my backend I get this not very helpful error message

Firebase Auth ID token has incorrect "aud" claim

The error message seems to have become a little more informative, and boils down to not having the project name in the auth key:

Error: Firebase ID token has incorrect "aud" (audience) claim. Expected "stripmall-0000" but got "617699194096-0aafcvsml0gke61d6077kkark051f3e1.apps.googleusercontent.com". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/server/verify-id-tokens for details on how to retrieve an ID token.

Anyone with the slightest idea what could be wrong? I receive the tokenId correctly from the client so that shouldn't be a problem. Sincere appologies if this has been asked before or is trivial in any other way.

  firebase.initializeApp({
        serviceAccount: {
            "type": "service_account",
            "project_id": <project id here>,
            "private_key_id": <key id goes here>,
            "private_key": <key goes here>
            "client_email": <email goes here>,
            "client_id": <my client id>,
            "auth_uri": "https://accounts.google.com/o/oauth2/auth",
            "token_uri": "https://accounts.google.com/o/oauth2/token",
            "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
            "client_x509_cert_url": <url goes here>
        },
        databaseURL: <my db url here>
    });

    router.post("/verify", function (req, res) {
        firebase.auth().verifyIdToken(req.body.idToken).then(function (decodedToken) {
            var uid = decodedToken.sub;
            res.send(uid);
        }).catch(function (error, param2) {
            console.log(error);  // 'Firebase Auth ID token has incorrect "aud" claim'
        });

    });
Bemock answered 12/7, 2016 at 17:9 Comment(3)
From what I understand aud is for "audience" and in this case refers to the project ID. Are you sure you have the correct project_id in there?Nutmeg
Well they been passed straight from the json file you get downloaded, so cant imagine there would be something wrong with that one..Bemock
I'm also seeing this consistently wrong. It get a further message what my audience key should be.Ehr
E
61

Your problem may be that you are trying to use the JWT token returned by one of the auth() functions like firebaseRef.auth().signInWithPopup(). These do return a JWT token, however the auth claims will likely be wrong and won't pass verification by verifyIdToken. Firebase tech support confirmed this.

You have to use the firebaseRef.auth().currentUser.getToken() function. That token will pass verification.

Ehr answered 28/8, 2016 at 15:50 Comment(7)
works for me, this should be accepted as correct answerRickettsia
I confirm this works, I've just encountered this issue in 2018. Use user.getIdToken() solve the problem.Weiman
Did their tech support explain why this was the case?Merryman
For anyone running into this issue, actually the correct one to use is firebase.auth().currentUser.getIdToken()Descartes
If the tokens coming out from firebase.auth().onIdTokenChanged(async (user) => { if (user) { const token = await user.getIdToken(); doesn't work, how am I supposed to use firebase.auth().currentUser.getToken() for server-side authentication such as NextJS?Flavia
I was plucking my hair for 5 hours without knowing this. It would have been better if it were written somewhere that the idToken returned differed in both these cases. Thanks a ton.Chez
Wow the doc is still not updated in 2024, and I was struggling for hours without knowing what's wrong. Thanks!Break
C
9

TLDR: As mentioned in another answer, you are not correctly initializing the App.

Although, I'm a bit late on this, I had the same issue, so I decided to dive in and see what was going on behind the hood.

First off, unless the API has changed since this question was asked, serviceAccount doesn't exist as a property as part of the AppOptions interface, which is probably why you were getting the error. So I'm going to assume what you have there is meant to be in the credential key.

Second, you see that this error is thrown at https://github.com/firebase/firebase-admin-node/blob/master/src/auth/token-verifier.ts (line 187 at the time of this writing) where the aud claim in the token is compared against this.projectId.

Now, as other answers mention, this could be because the token that you are trying to verify was not created client-side, but by some other custom method, in which case the aud claim could be non-existent, something completely random, or something that definitely won't equal your projectId so you should check that first.

However, if you are certain the token was created client-side, then it boils down to projectId not being set, or at least not set in the way you expect. If you look at the getProjectId() method in https://github.com/firebase/firebase-admin-node/blob/master/src/utils/index.ts (line 66 at the time of this writing), you see that the projectId is determined in one of 3 ways: from the app.options object directly, from the projectId property in app.options.credential, OR from process.env.GOOGLE_CLOUD_PROJECT || process.env.GCLOUD_PROJECT. This means that if the projectId is not set and if your project is hosted on GCloud (which I'm assuming stripmall-0000 is), then Google will automagically use your current environment's projectId for anything related to firebase-auth, not the projectId of the originating project.

So, three options:

  1. Initialize your app with projectId set directly in AppOptions:

    firebase.initializeApp({
        databaseURL: <my db url here>,
        // Set your projectId directly here in options:
        projectId: <your-projectId-here>
    });
    
  2. Or probably better to do this way by setting your credentials object properly:

    firebase.initializeApp({
        credentials: admin.credential.cert(<<path-to-your-certificate> || <admin.ServiceAccount object>>),
        databaseURL: <my db url here>
    });
    
  3. Or, just host the app within the same project as your firebase app (now that they are part of the same ecosystem) so that the environment variables are the same. (Not actually 100% about this, but I'm assuming this is how firebase-functions a.k.a. cloud-functions works)

Crain answered 18/12, 2018 at 18:4 Comment(2)
This solved my problem. I am using one service account to manipulate multiple firebases from different projects. Without passing the projectId explicitly it would just try to write to the project which the service account was created in.Dunsany
The first option works great if you just want to verify specific claims on a client-generated token. It avoids the need to manage the secret service account key that is in most of the firebase-admin examples.Ean
F
2

As Thach Lockevn mentioned in the comments The solution that worked for me was:

import { AngularFireAuth } from '@angular/fire/auth';
import { auth } from 'firebase/app';

this.angularFireAuth.signInWithPopup(new auth.GoogleAuthProvider()).then((googleAuth) => {
        this.user = googleAuth.user;
        googleAuth.user.getIdToken().then(tkn => {
            this.token = tkn;
            //send the token to the backend...
        });
    });
Fool answered 13/9, 2020 at 5:21 Comment(0)
R
1

The problem for me was not the token but that I needed to initialize my backend using a service account. Doing that you can also test and debug from the local dev server.

FileInputStream serviceAccount = new FileInputStream("path/to/serviceAccountKey.json");

FirebaseOptions options = new FirebaseOptions.Builder()
            .setCredentials(GoogleCredentials.fromStream(serviceAccount))
            .setDatabaseUrl("https://<DATABASE_NAME>.firebaseio.com/")
            .build();

FirebaseApp.initializeApp(options);
FirebaseAuth firebaseAuth = FirebaseAuth.getInstance();

// Get the FB uid from the token
FirebaseToken decodedToken = firebaseAuth.verifyIdTokenAsync(token).get();
String uid = decodedToken.getUid();

source: https://firebase.google.com/docs/admin/setup

Reformed answered 28/3, 2018 at 17:37 Comment(0)
A
1

There is two types of auth ID Token

  1. Google-Based
  2. Firebase Provide AuthIDToken

you need Firebase provided Token if you implement it with firebase authentication.

You will get the first Google id token and using that token you are getting credential which is used for authenticating firebase ,Here Provided

idToken : google id token

AuthCredential credential = GoogleAuthProvider.getCredential(idToken, null)

You are login into firebase using

firebase.signInWithCredential(credential).addOnCompleteListener(this, task -> { ....})

in this call back you will get firebase id token

ftoken : firebase id token

String ftoken = task.getResult().getUser().getIdToken(false).getResult().getToken()
Allred answered 18/1, 2022 at 16:55 Comment(0)
M
0

If you are running locally, this error message also pops up if you have the incorrect GOOGLE_APPLICATION_CREDENTIALS environment variable. Check to see if the JSON key that is set with this environment variable matches that of project.

Mcmillin answered 3/2, 2018 at 4:6 Comment(0)
M
0

There's another case that can produce this frustrating error. If you have a query tool like Postman, Insomnia, GraphQL Playground (the culprit this time), etc. open, then those may be holding old Authentication Bearer tokens and making requests to your API, even when your authentication keys have been changed.

The simple solution here is to clear out all the requests that are currently authenticated with those Bearer tokens and reauthenticate.

This is particularly nasty with GraphQL Playground, because its rudimentary nature forces you to copy/paste your auth token into each query tab's headers, so if you don't close or modify each and every tab, you're still going to be getting this error spamming your API console.

I'd recommend Insomnia as the antidote to this, as with proper query chaining practices, you avoid this entirely. Further details: you can automatically pass the bearer token result from a user authentication query to any other query through one of Insomnia's environment variables.

Marlea answered 9/6, 2020 at 18:42 Comment(0)
S
0

Wrong Audience (wrong project GOOGLE conflict between projects FIX)

I was using a NetJS server inside a GKE cluster (created using account A) and I was trying to connect the admin SDK to an external Firebase app (created using account B).

GKE was setting the credentials using an environment variable that was affecting the NextJS app

Solution

I set the GOOGLE_APPLICATION_CREDENTIALS environment for the NextJS app (you can use a .env file.

Conclusion

The Node variable has priority over the default auth app (Crazy!)

https://firebase.google.com/docs/admin/setup#initialize_the_sdk

Sawyer answered 12/4, 2021 at 2:59 Comment(0)
C
0

I stumbled in this error in a Flutter project. For me the case was a missing SHA fingerprint to be added in the firebase console.

If that my be the case, you can self sign your app and copy paste the key in the firebase console.

Step 1 generate key:

keytool -list -v -alias androiddebugkey -keystore ~/.android/debug.keystore

(official guide here: https://developers.google.com/android/guides/client-auth?hl=en)

Step 2 upload:

the previous step should have prompted you a key, just go to the console navigate to:

Project settings > general > your apps

Select your app and click on "add fingerprint key" and paste the key there

screenshot of the process, in italian

Cycle answered 31/10, 2023 at 15:47 Comment(0)
W
0

for me, using angular 17 and google signInWithPopup, the following token worked. Thanks Saumil Shah

import { getAuth, signInWithPopup, GoogleAuthProvider } from "firebase/auth";

constructor(@Inject(FirebaseApp) private app: FirebaseApp, public authSvc: AuthService) {}

auth = getAuth(this.app);
...
const result = await signInWithPopup(this.auth, this.provider);
let token = await this.auth.currentUser?.getIdToken();
Weekend answered 8/5, 2024 at 22:37 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.