Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firebase requires reauth for Google Workspace Accounts #6898

Open
RafaelZasas opened this issue Mar 21, 2024 · 5 comments
Open

Firebase requires reauth for Google Workspace Accounts #6898

RafaelZasas opened this issue Mar 21, 2024 · 5 comments
Assignees
@joehan
Labels
api: core type: feature request

Comments

@RafaelZasas
Copy link

RafaelZasas commented Mar 21, 2024
edited

[REQUIRED] Environment info

firebase-tools: v13.5.2

Platform: Ubuntu 23.10

[REQUIRED] Test case

Login to firebase tools with workspace account, wait for oauth refresh token to expire (seems like it only takes an hour), and try to use any firebase-tools command.

[REQUIRED] Steps to reproduce

Sign in to firebase-tools with a google workspace account.

Use firebase-tools as normal.

Wait a couple hours, firebase-tools breaks:
FirebaseCommandException: An error occured on the Firebase CLI when attempting to run a command.
From the log:

[debug] [2024-03-21T09:54:19.248Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[debug] [2024-03-21T09:54:19.248Z] > authorizing via signed-in user (admin@<my_domain>)
[debug] [2024-03-21T09:54:19.251Z] > refreshing access token with scopes: []
[debug] [2024-03-21T09:54:19.251Z] >>> [apiv2][query] POST https://www.googleapis.com/oauth2/v3/token [none]
[debug] [2024-03-21T09:54:19.252Z] >>> [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]
[debug] [2024-03-21T09:54:19.706Z] <<< [apiv2][status] POST https://www.googleapis.com/oauth2/v3/token 400
[debug] [2024-03-21T09:54:19.706Z] <<< [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]
[debug] [2024-03-21T09:54:19.706Z] Authentication Error: Your credentials are no longer valid. Please run firebase login --reauth

For CI servers and headless environments, generate a new token with firebase login:ci
[debug] [2024-03-21T09:54:20.110Z] FirebaseError: Authentication Error: Your credentials are no longer valid. Please run firebase login --reauth

Running firebase login yields:

Already logged in as admin@<my_domain>

[REQUIRED] Expected behavior

Since this issue is not present with my personal account, I assume there are some settings set by Google Admin Console. I have checked the Google Cloud session control and the App Access Control and there is no way to mark firebase cli as a trusted application, or extend the validation time for the oath token.

I expect to be able to login once, and have a valid refresh token for at least the same length of time as my other google services, but would ideally not have to log in again since I do not have to with my personal account.

[REQUIRED] Actual behavior

In order to get firebase-tools working again, I have to run firebase-login --reauth which although, on the surface doesn't seem like a big deal, but it gets annoying to do every single day, and sometimes even after a short lunch break too.

11:56:48 ❯ firebase projects:list --debug
[2024-03-21T10:01:51.933Z] Field ".functions" in "firebase.json" is possibly invalid: should be object
[2024-03-21T10:01:51.934Z] Field ".functions[0].runtime" in "firebase.json" is possibly invalid: should be equal to one of the allowed values
[2024-03-21T10:01:51.934Z] Field ".functions" in "firebase.json" is possibly invalid: should match some schema in anyOf
[2024-03-21T10:01:51.935Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[2024-03-21T10:01:51.935Z] > authorizing via signed-in user (admin@<my_domain>)
⠋ Preparing the list of your Firebase projects[2024-03-21T10:01:51.937Z] > refreshing access token with scopes: []
[2024-03-21T10:01:51.938Z] >>> [apiv2][query] POST https://www.googleapis.com/oauth2/v3/token [none]
[2024-03-21T10:01:51.938Z] >>> [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]
⠧ Preparing the list of your Firebase projects[2024-03-21T10:01:52.516Z] <<< [apiv2][status] POST https://www.googleapis.com/oauth2/v3/token 400
[2024-03-21T10:01:52.516Z] <<< [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]
[2024-03-21T10:01:52.516Z] Authentication Error: Your credentials are no longer valid. Please run firebase login --reauth

For CI servers and headless environments, generate a new token with firebase login:ci
✖ Preparing the list of your Firebase projects
[2024-03-21T10:01:52.920Z] FirebaseError: Authentication Error: Your credentials are no longer valid. Please run firebase login --reauth

For CI servers and headless environments, generate a new token with firebase login:ci
    at invalidCredentialError (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/auth.js:142:12)
    at refreshTokens (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/auth.js:515:15)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Client.getAccessToken (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/apiv2.js:161:22)
    at async Client.addAuthHeader (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/apiv2.js:152:21)
    at async Client.request (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/apiv2.js:105:34)
    at async getProjectPage (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/management/projects.js:238:17)
    at async getFirebaseProjectPage (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/management/projects.js:255:23)
    at async listFirebaseProjects (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/management/projects.js:286:29)
    at async Command.actionFn (/home/rafael/.nvm/versions/node/v18.19.0/lib/node_modules/firebase-tools/lib/commands/projects-list.js:51:20)

Error: Failed to list Firebase projects. See firebase-debug.log for more info.

Also note, the log says that there is an issue with the runtime property in the functions object of firebase.json.
I know that this property is in the docs, and it is the only way to get firebase functions with python to run locally in emulators since I do not have python 3.12 installed on my system, I have to specify runtime of python311. Thats another issue entirely though.
@google-oss-bot
Copy link
Contributor

This issue does not have all the information required by the template. Looks like you forgot to fill out some sections. Please update the issue with more information.

@joehan
Copy link
Contributor

joehan commented Mar 26, 2024

Hey @RafaelZasas - thanks for reporting this! I see two improvements we culd make here:
1 - We should throw a clearer error when using expired credentials that prompts you to run the reauth command.
2 - We should offer firebase CLI as a trusted app in Google Admin Console.

1 I'll take a crack at when I have some free time soon. 2 will likely be longer, since we'll need to escalate to Google Workspaces team.

@joehan joehan self-assigned this Mar 26, 2024
@cmjordan42
Copy link

cmjordan42 commented May 6, 2024
edited

Yeah, this is pretty bad that Google and Google don't work together. Signing in with my Google Workspaces account also seems to have bound me to now ALWAYS login with an account under that Google Workspaces @my.domain - certainly not something I asked it to do - so it prevents me from logging in to one of my Firebase admin non-Workspace accounts in order to work around this bug.

I can't imagine it's that foreign for Firebase developers to also use Google Workspaces... I assumed that I hadn't configured something on Workspaces properly and it was being overly restrictive until I found this issue reported.

Please escalate this to Google Workspaces if you haven't already.

@joehan
Copy link
Contributor

joehan commented May 7, 2024

Hey @cmjordan42 - could you expand a bit on:

Signing in with my Google Workspaces account also seems to have bound me to now ALWAYS login with an account under that Google Workspaces @my.domain - certainly not something I asked it to do - so it prevents me from logging in to one of my Firebase admin non-Workspace accounts in order to work around this bug.

What does this actually look like for you? When you run 'firebase login', are you not able to login with @gmail.com accounts? Do you see a different login screen?

@cmjordan42
Copy link

cmjordan42 commented May 7, 2024
edited

Sure.

  1. firebase login --reauth gives a URL to accounts.google.com oauth
  2. The sign in page displays a prompt on the left side Choose an account from myworkspacedomain.com, despite it launching in Chrome that has a) multiple accounts authenticated with Google accounts; b) a Gmail account logged in to Chrome (not the account or domain in question)
  3. The right side has only me@myworkspacedomain.com as a user selection option, with Use another account below it.
  4. Attempting to Use another account yields a sign in page where it's prompting for me to enter my email but with a forced (immutable) @myworkspacedomain.com domain to the email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joehan joehan

Labels
api: core type: feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@joehan @cmjordan42 @google-oss-bot @RafaelZasas @aalej