Firebase Auth ID token has incorrect "aud" claim

Faustus picture Faustus · Jul 12, 2016 · Viewed 7.7k times · Source

I'm trying to verify an idToken backend. The user has successfully logged in to firebase client side but when I try to verify the idToken on my backend I get this not very helpful error message

Firebase Auth ID token has incorrect "aud" claim

The error message seems to have become a little more informative, and boils down to not having the project name in the auth key:

Error: Firebase ID token has incorrect "aud" (audience) claim. Expected "stripmall-0000" but got "617699194096-0aafcvsml0gke61d6077kkark051f3e1.apps.googleusercontent.com". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/server/verify-id-tokens for details on how to retrieve an ID token.

Anyone with the slightest idea what could be wrong? I receive the tokenId correctly from the client so that shouldn't be a problem. Sincere appologies if this has been asked before or is trivial in any other way.

  firebase.initializeApp({
        serviceAccount: {
            "type": "service_account",
            "project_id": <project id here>,
            "private_key_id": <key id goes here>,
            "private_key": <key goes here>
            "client_email": <email goes here>,
            "client_id": <my client id>,
            "auth_uri": "https://accounts.google.com/o/oauth2/auth",
            "token_uri": "https://accounts.google.com/o/oauth2/token",
            "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
            "client_x509_cert_url": <url goes here>
        },
        databaseURL: <my db url here>
    });

    router.post("/verify", function (req, res) {
        firebase.auth().verifyIdToken(req.body.idToken).then(function (decodedToken) {
            var uid = decodedToken.sub;
            res.send(uid);
        }).catch(function (error, param2) {
            console.log(error);  // 'Firebase Auth ID token has incorrect "aud" claim'
        });

    });

Answer

Robert Moskal picture Robert Moskal · Aug 28, 2016

Your problem may be that you are trying to use the JWT token returned by one of the auth() functions like firebaseRef.auth().signInWithPopup(). These do return a JWT token, however the auth claims will likely be wrong and won't pass verification by verifyIdToken. Firebase tech support confirmed this.

You have to use the firebaseRef.auth().currentUser.getToken() function. That token will pass verification.