Google Endpoints Error: Firebase ID token has incorrect "aud" (audience) claim. Expected ... but got

Question

I have seen similar questions however my use-case seems different. Let me explain.

1. I have a SINGLE project.
2. I am using Firebase Authentication in the project
3. I have created a Node JS based http Cloud Function to different routes.

Using Postman I do a POST request to the Cloud function and use the login route and pass the email and password and get the token in the response.

Using Postman I do a POST request to the Cloud function and use the check route by passing the token from the earlier request and authenticate the token. It works. For this I use the admin.auth().verifyIdToken function of the firebase admin client.

All seems well.

Now, when I set up a Google Cloud Endpoint (on a Google Cloud Run container) in the same project, and:

1. I have not setup any securities option (as yet) in the Firebase stagger yaml file.

2. I may a POST request to the Google Cloud Endpoint using login path, I receive the token as before.

3. But when I make my POST request using the Endpoint to the check path, I receive the "Firebase ID token has incorrect "aud" (audience) claim." error.

I seemed to have tried every option offered by others in these forums. I have created a private key from the firebase console and initialised the firebase admin client with it and yet I get the same error which says: "The claim is supposed to the Project-Id but it takes it to be the Function-name" which is part of the same project.

I have setup my node js function with cors (app.use(cors())) too but same error perpetuates.

I have been at it for the last 4-5 days but do not seem to find out what is the exact problem and why is it not able to accept the admin client function call. Anyone giving me a direction to pursue will be highly appreciated. Thanks.

Answer 1

Yes, ESP and ESPv2 will automatically override the Authorization header with a new token. This is for the use-case where the backend Cloud Run service or Cloud Function require authentication.

You can disable this automatic token override in x-google-backend using disable_auth. https://cloud.google.com/endpoints/docs/openapi/openapi-extensions#jwt_audience_disable_auth

However, your backend can still receive the original token without disabling this feature. From the x-google-backend documentation:

Therefore, if an API client sets the Authorization header, a backend running behind ESPv2 should use the X-Forwarded-Authorization header to retrieve the entire JWT. The backend must verify the JWT in this header, as ESPv2 will not perform verification when authentication methods are not configured.

If you only need the claims from the original token, see Receiving authenticated results in your API.

ESP usually forwards all headers it receives. However, it overrides the original Authorization header when the backend address is specified by x-google-backend in OpenAPI specification or BackendRule in gRPC service configuration. ESP will send the authentication result in the X-Endpoint-API-UserInfo to the backend API. It is recommended to use this header instead of the original Authorization header.

So for your use case, please modify your backend to read either X-Forwarded-Authorization or X-Endpoint-API-UserInfo depending on what fields you need. Do not read the Authorization header if you do not want to set disable_auth.

Answer 2

My observation has been that the token that gets sent via the request headers get changed by the Google Endpoints server before it is processed by the Google Functions specified in the Path of the Yaml file.

I sent the token in the header as well as the body and found the values to be different by comparing them.

When I used the token sent via the body the firebase-admin client found it to be a valid id, while when I used the token from the request header it gave the above error.