Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support standard credential interfaces #334

Open
ptone opened this issue Aug 9, 2018 · 8 comments
Open

support standard credential interfaces #334

ptone opened this issue Aug 9, 2018 · 8 comments
Assignees
@hiranya911
Labels
type: feature request

Comments

@ptone
Copy link

ptone commented Aug 9, 2018

  • Operating System version: Multiple
  • Firebase SDK version: All
  • Library version: All
  • Firebase Product: multiple (auth, database, storage, etc)

Feature request to support standard Google credential interfaces to support more custom credential integrations.

https://github.com/google/google-auth-library-nodejs

Currently this library uses bespoke approaches such as:

firebase-admin-node/src/firestore/firestore.ts

Line 90 in 5d43af1

credentials: {

@google-oss-bot
Copy link

Hmmm this issue does not seem to follow the issue template. Make sure you provide all the required information.

@google-oss-bot
Copy link

Hey there! I couldn't figure out what this issue is about, so I've labeled it for a human to triage. Hang tight.

@hiranya911
Copy link
Contributor

I ran into several issues last time I tried supporting google-auth credentials (can't remember what those were exactly right now). But if you want to support more custom credentials, you can do so by implementing the Credential interface provided by the Admin SDK: https://firebase.google.com/docs/reference/admin/node/admin.credential.Credential

@hiranya911
Copy link
Contributor

@ptone can you comment on how you think this should be exposed to the developers? What should the admin.initializeApp() method accept? I'm making some progress towards natively supporting google-auth-library, but what they consider to be "standard" Google Credentials are quite, umm, unusual (at least compared to other languages).

These are the options I can think of:

Option 1

This is what other Node.js GCP libraries support. But this doesn't support refresh token credentials, which is something we do support today.

// service account
admin.initializeApp({
  keyFilename: 'path/to/serviceAccount.json',
});

// or
admin.initializeApp({
  credentials: {client_email, private_key},
});

// ADC
admin.initializeApp();

Option 2

This has more in common with how the credentials are exposed in other languages (Java, Go, C# etc). Notice that this calls a bunch of async APIs at the initialization, which causes problems when trying to initialize the app in the global scope.

import {auth} from 'google-auth-library';

// service account OR refresh tokens
const file = require('path/to/file.json');
admin.initializeApp({
  credentials: auth.fromJSON(file),
});

// service accounts ONLY
const credentials = await auth.getClient({
  keyFilename: 'path/to/serviceAccount.json'
});
admin.initializeApp({credentials});

// or
const credentials = await auth.getClient({
  credentials: {client_email, private_key},
});
admin.initializeApp({credentials});

// ADC
admin.initializeApp();

// or
const credentials = await auth.getClient();
admin.initializeApp({credentials});

@hiranya911
Copy link
Contributor

Option 3

import {GoogleAuth} from 'google-auth-library';

// service account
admin.initializeApp({
  credentials: new GoogleAuth({
     keyFilename: 'path/to/serviceAccount.json',
  }),
});

// ADC
admin.initializeApp({
  credentials: new GoogleAuth(),
});

// this might work for refresh tokens
const credentials = require('path/to/file.json');
admin.initializeApp({
  credentials: new GoogleAuth({credentials});
})

@hiranya911
Copy link
Contributor

GCP Node.js libraries seem to follow the configuration mechanism outlined here: https://github.com/googleapis/google-cloud-node/blob/master/docs/authentication.md

@ptone
Copy link
Author

ptone commented Jan 2, 2019

Thanks for looking at this @hiranya911

I recall Python libs having the cleanest interface definition of a token, basically duck type so long as you have a refresh method, and a access_token and expiration set of attributes. The client library will call your refresh method as needed.

So I see this less about initializing with the well-known credential data, and more about providing an interface. In go with would be the tokensource https://godoc.org/golang.org/x/oauth2#TokenSource

Anything that can provide a token, can be used with the client-libs.

@hiranya911
Copy link
Contributor

Thanks @ptone. I think in our case that interface is Credential: https://firebase.google.com/docs/reference/admin/node/admin.credential.Credential. Admin SDK already accepts any object that implements this interface.

However, it seems all the Node.js GCP libraries are designed to work with only 2 types of credentials:

  1. service account credentials
  2. application default credentials

This means APIs like Firestore and GCS will not work with custom credentials. I will follow up with the GCP Node.js team and try to figure out what their thinking here is.

@hiranya911 hiranya911 self-assigned this Jan 2, 2019
@Jeremip11 Jeremip11 mentioned this issue Dec 14, 2023
Open
@takeratta takeratta mentioned this issue Dec 14, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hiranya911 hiranya911

Labels
type: feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ptone @hiranya911 @google-oss-bot