firebase MISSING_CUSTOM_TOKEN error while curl "https://identitytoolkit.googleapis.com/v1

Question

Goal: I want to learn how use custom tokens with FireStore.

Tentative: I try follow firebase curl example by

curl "https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=AIzaSyCO0B7UXo2OcfhXQ2gBxHAPuN5muusiIFw" -H 'Content-Type: application/json' --data-binary '{"token":"123456","returnSecureToken":true}' 

and I got

{
  "error": {
    "code": 400,
    "message": "MISSING_CUSTOM_TOKEN",
    "errors": [
      {
        "message": "MISSING_CUSTOM_TOKEN",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}
curl: (6) Could not resolve host: application

The curl command above was filled in with my "Firebase Web API Key" copied from Firebase/My Project/General/Web Api Key. Then I added a token just for testing "123456". If I understood correctly the documentation, I should get a Token back.

My final goal is to add a Custom Token to my Firebase project which allows an Angular client connect to Firestore and be notified when the document is changed.

For creating a Custon Token, the best steps I have found is Stackoverflow Custom Token Question. So I am trying to create it with:

const admin = require('firebase-admin');
const serviceAccount = require('./angular-firebase-auth0-3c084-firebase-adminsdk-lu97a-6ba2ba41e0.json')

admin.initializeApp({
  credential: admin.credential.cert(serviceAccount)
});

var uid = "some-uid";
var claim = {
  control: true
};
admin.auth().createCustomToken(uid, true)
  .then(function (customToken) {
    console.log(customToken)
  })
  .catch(function (error) {
    console.log("Error creating custom token:", error);
  });

angular-firebase-auth0-3c084-firebase-adminsdk-lu97a-6ba2ba41e0.json was downlowaded from Firebase and contains:

{
  "type": "service_account",
  "project_id": "angular-firebase-auth0-3c084",
  "private_key_id": "6ba2ba41e0bf3837841aa9772c7d880b7ce3be81",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAg ...... +n+uYQTJSJPM7Tvgfssa8X1KK09zoj2f7ZLvcjGzl/VF2D7uf23VtAL2RZsB7z14\ny4rnDCc4Rx7nslGUk6kwEz+xJYUpP96rkp5iv/qUuoveJdI/NogJjgUtvRUa2evA\ntg2PV9xsYvkt8+8Ce79fYKA=\n-----END PRIVATE KEY-----\n",
  "client_email": "firebase-adminsdk-lu97a@angular-firebase-auth0-3c084.iam.gserviceaccount.com",
  "client_id": "114324662014690107039",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk-lu97a%40angular-firebase-auth0-3c084.iam.gserviceaccount.com"
}

and I got

C:\WSs\FireStoreDemos\firestore-custom-token>node server
C:\WSs\FireStoreDemos\firestore-custom-token\node_modules\firebase-admin\lib\auth\token-generator.js:205
            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, errorMessage);
            ^

FirebaseAuthError: `developerClaims` argument must be a valid, non-null object containing the developer claims.
    at FirebaseAuthError.FirebaseError [as constructor] (C:\WSs\FireStoreDemos\firestore-custom-token\node_modules\[4mfirebase-admin[24m\lib\utils\error.js:42:28)
    at FirebaseAuthError.PrefixedFirebaseError [as constructor] (C:\WSs\FireStoreDemos\firestore-custom-token\node_modules\[4mfirebase-admin[24m\lib\utils\error.js:88:28)
    at new FirebaseAuthError (C:\WSs\FireStoreDemos\firestore-custom-token\node_modules\[4mfirebase-admin[24m\lib\utils\error.js:147:16)
    at FirebaseTokenGenerator.createCustomToken (C:\WSs\FireStoreDemos\firestore-custom-token\node_modules\[4mfirebase-admin[24m\lib\auth\token-generator.js:205:19)
    at Auth.BaseAuth.createCustomToken (C:\WSs\FireStoreDemos\firestore-custom-token\node_modules\[4mfirebase-admin[24m\lib\auth\auth.js:94:36)
    at Object.<anonymous> (C:\WSs\FireStoreDemos\firestore-custom-token\server.js:12:14)
[90m    at Module._compile (internal/modules/cjs/loader.js:1147:30)[39m
[90m    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1167:10)[39m
[90m    at Module.load (internal/modules/cjs/loader.js:996:32)[39m
[90m    at Function.Module._load (internal/modules/cjs/loader.js:896:14)[39m {
  errorInfo: {
    code: [32m'auth/argument-error'[39m,
    message: [32m'`developerClaims` argument must be a valid, non-null object containing the developer claims.'[39m
  },
  codePrefix: [32m'auth'[39m
}

So, my main question is: what I am missing to create a Custom Token with curl above? Since is a Custom Token, at least for a Hello World, I can use a very simple Token like "123456", right?

A secondary question, in above server.js, am I providing the right file expected in admin.credential.cert?

Answer 1

From my understating of Firebase Custom Token Auth, you cannot send a plain unencrypted token like that. In order for that to work, you would have to generate the token based on a uid, which could be the 123456 by using the same code you were already have:

const customToken = await admin.auth().createCustomToken("123456")

Then use that customToken to make the test request of the curl command.

To your secondary question, the injection of the service account on the admin.credential.cert() command is correct and if you compare the actual .json file to the sample provided on the official Cloud IAM Documentation, everything seems correct.

The only thing that could cause issues is if your private_key, private_key_id or any other of the fields that need to be replaced are wrong, but that would be something that only you can check.

Hope this helps you.