InvalidIdTokenError due to line break in "aud". Looks like a bug

[NixBiks]

Describe your environment

• Operating System version: python:3.8-slim (docker image) running in minikube
• Firebase SDK version:
• Library version: 4.3.0
• Firebase Product: auth

Describe the problem

I have deployed a FastAPI application in minikube which exposes an endpoint that uses auth.verify_id_token. When I run that I get the following error

firebase_admin._auth_utils.InvalidIdTokenError: Firebase ID token has incorrect "aud" (audience) claim. Expected "
dev-plx
" but got "dev-plx". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve ID token.

It looks like there is an issue with \n / line breaks.

Steps to reproduce:

I'm using minikube addons enable gcp-auth to authenticate my pod. I'm afraid its quite complicated to create a small reproducible example but maybe someone can identify the issue just from this?

[NixBiks]

It turns out that having

cert = credentials.Certificate("/google-app-creds.json")
firebase = initialize_app(cert)

instead of

firebase = initialize_app()

fixes the issue. It still seems like a bug to me.

[hiranya911]

Check the project_id field in the service account. It seems to contain some invalid character or extra spaces.

Edit: I misread. The project ID in the service account is correct. But the project ID auto-discovered in the pod contains some invalid character or spaces. How is the project ID discovered in your pod? Does it have the Google metadata server or is it via an environment variable like GOOGLE_CLOUD_PROJECT?

[NixBiks]

I'm not sure actually. I just did gcloud auth login and then I used minikube addons enable gcp-auth so the pods run with my end user credentias (I assume)

[hiranya911]

I'm not familiar with the minikube addon. You can run the following snippet to see the project ID discovered by the SDK.

app = firebase_admin.initialize_app()
print('"{0}"'.format(app.project_id))

Can you share the output of the above?

If the above output indeed contains any special characters, then you will need to dig a bit deeper into the minikube addon and see how it exposes the project ID to the SDK.

[NixBiks]

Indeed that is the issue

> print(f"Project ID: {repr(app.project_id)}")
Project ID: 'dev-plx\n'

You suspect the minikube addon to be the sinner here?

[hiranya911]

That would be my guess. Or it's an issue in the https://github.com/googleapis/google-auth-library-python library, although I doubt it. To be certain can you also try running the following command in a shell and see what the output looks like?

gcloud config config-helper --format json

Also check either GOOGLE_CLOUD_PROJECT or GCLOUD_PROJECT environment variables are set in your pod by any chance.

[NixBiks]

It seems that the issue has been fixed in PR in the minikube repo.