firebase-admin-node icon indicating copy to clipboard operation
firebase-admin-node copied to clipboard
verified publisher icon firebase

createSessionCookie error with 403 code

Open epfisztner opened this issue 2 years ago • 4 comments

  • Firebase SDK version: 10.1.0
  • Firebase SDK version: 11.10.1
  • Firebase Product: auth (auth, database, storage, etc)
  • Node.js version: 18.12.1
  • NPM version: 8.19.2

Our server got this error on calling the firebase-admin-sdk -> createSessionCookie with any valid token:

Your client does not have permission to get URL /v1/projects/ims-prod-c9c68:createSessionCookie from this server. That’s all we know.\n". Status code: "403". Outgoing request: "POST https://identitytoolkit.googleapis.com/v1/projects/ims-prod-c9c68:createSessionCookie.\

The strange thing is that it works on local but not working on dev or prod environment since ~4-5am cst

const expiresIn = 60 * 60 * 24 * 12 * 1000; //expiry must be between 5 min and 2 weeks for firebase!
const cookie = await getAuth(firebaseApp).createSessionCookie(req.headers.authorization.replace("Bearer ", ""), { expiresIn: expiresIn });

epfisztner avatar Aug 10 '23 13:08 epfisztner

I dived into it little more. The problem comes from the public cert file fetching.

We're using docker containers for the server. I've tested if the host can access the cert files throught: curl -v https://www.googleapis.com/robot/v1/metadata/x509/.........gserviceaccount.com

And the answer is yes, but the docker containers all getting the same google error page with http 403 for the same curl command. Is it possible that google started to block the request from our docker container but not host server?

epfisztner avatar Aug 11 '23 09:08 epfisztner

Are you using the node18:16 image? Might be related to this https://github.com/firebase/firebase-admin-node/issues/2234

lahirumaramba avatar Aug 22 '23 19:08 lahirumaramba

Same issue for me. I'm on node v21.1.0. Weird thing is it works for my colleague. We both have done gcloud auth application-default login. I'm getting this error

{
  "error": {
    "code": 403,
    "message": "Your application is authenticating by using local Application Default Credentials. The identitytoolkit.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds .",
    "errors": [
      {
        "message": "Your application is authenticating by using local Application Default Credentials. The identitytoolkit.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds .",
        "domain": "usageLimits",
        "reason": "accessNotConfigured",
        "extendedHelp": "https://console.developers.google.com"
      }
    ],
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "SERVICE_DISABLED",
        "domain": "googleapis.com",
        "metadata": {
          "service": "identitytoolkit.googleapis.com",
          "consumer": "projects/764086051850"
        }
      }
    ]
  }
}

I don't recognise any project with this number 764086051850 either. Very odd.

I've already set a quota project too, i.e. gcloud auth application-default set-quota-project <project>

NixBiks avatar Oct 31 '23 20:10 NixBiks

Ahh so I was missing the --client-id-file when logging into my ADC locally. See here for more details.

NixBiks avatar Nov 01 '23 07:11 NixBiks

I am closing this as it looks like the issue was resolved.

We also added the quota project headers in the v12.2.0 release

lahirumaramba avatar Jun 20 '24 20:06 lahirumaramba