Support for creating custom tokens without service account credentials

[hiranya911]

Currently the SDK must be initialized with service account credentials in order to be able to call FirebaseAuth.createCustomToken(). With this PR, the SDK will attempt to sign custom tokens by calling the IAM service in the cloud when the service account credentials are not provided.

// Following will work in GCP managed runtimes where the Metadata service is present
admin.initializeApp();
admin.auth().createCustomToken(uid).then(...);

// Following will work anywhere
FirebaseApp.initializeApp({
  // need to only specify the service account email here...
  serviceAccountId: 'test-service-account@project-id.iam.gserviceaccount.com',
});
admin.auth().createCustomToken(uid).then(...);

As a part of this implementation I'm also refactoring the existing FirebaseTokenGenerator abstraction by removing all the token verification logic out of it.

go/firebase-admin-sign
go/firebase-admin-iam-sign

[hiranya911]

Resolves #224

[bojeil-google]

Rename newSessionCookieVerifier and newIdTokenVerifier to createSessionCookieVerifier and createIdTokenVerifier.

[hiranya911]

Done

[bojeil-google]

Add javadoc descriptions to all function declarations.

[hiranya911]

Done

[bojeil-google]

Promise<Buffer>

[hiranya911]

Done

[bojeil-google]

getAccountId()

[hiranya911]

Done

[bojeil-google]

 * @param {string} projectId Project ID string.
 * @return {FirebaseTokenVerifier}

[hiranya911]

Done

[bojeil-google]

same here. these tests should not depend on Auth.

[hiranya911]

These tests basically check the verifyIdToken() and verifySessionCookie() methods on Auth. They are better off in auth.spec.

[bojeil-google]

'explicit service account id'

[hiranya911]

Done

[bojeil-google]

first encoding argument of toString() and the second argument of Buffer.from is `base64' making this confusing. Change to 'base64string' or something different.

[hiranya911]

Changed to input

[bojeil-google]

Same here on 'base64' first argument.

[hiranya911]

Done

[bojeil-google]

Add a test when getAccount() rejects with an error and confirm expected error.

[hiranya911]

Done

[hiranya911]

I'm posting a decoded custom token generated against the master branch and this branch for comparison. Notice that other than the order of some claims (which has no significance in JSON and JWT), nothing has changed. During the last code review round I noticed that the typ header was missing which I have now added (interestingly, Firebase Auth did not fail on that).

Tokens decoded via https://jwt.io/

JWT Header

Before:

{
  "alg": "RS256",
  "typ": "JWT"
}

After:

{
  "alg": "RS256",
  "typ": "JWT"
}

JWT Body

Before:

{
  "claims": {
    "isAdmin": true
  },
  "uid": "testuser",
  "iat": 1530216676,
  "exp": 1530220276,
  "aud": "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
  "iss": "*******@*******.iam.gserviceaccount.com",
  "sub": "*******@*******.iam.gserviceaccount.com"
}

After:

{
  "aud": "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
  "iat": 1530216493,
  "exp": 1530220093,
  "iss": "*******@*******.iam.gserviceaccount.com",
  "sub": "*******@*******.iam.gserviceaccount.com",
  "uid": "testuser",
  "claims": {
    "isAdmin": true
  }
}

[hiranya911]

Resolves #224

[bojeil-google]

Thanks for making the changes. I would have preferred keeping the dependency on jsonwebtoken for minting custom tokens with service accounts but since this is undergoing a launchcal review, I leave the final say to reviewers.