[FR] add support for reusing firebase-tools credentials

[proppy]

firebase-admin already lookup gcloud application default credentials out of the box:

firebase-admin-node/src/auth/credential.ts

Line 45 in 1a7f722

const GCLOUD_CREDENTIAL_SUFFIX = 'gcloud/application_default_credentials.json';

which is great!

It would awesome if it could also look up firebase-tools credentials in a similar fashion, so that:

const admin = require('firebase-admin');

admin.initializeApp({
  credential: admin.credential.applicationDefault()
});

could just work for `firebase-tools users without requiring the user to install gcloud or download service account key to their development environment.

Note you can workaround this today by doing:

const admin = require('firebase-admin');

admin.initializeApp({
  credential: admin.credential.refreshToken({type: 'authorized_user', refresh_token: (new (require('configstore'))('firebase-tools')).get('tokens.refresh_token'), client_id: require('firebase-tools/lib/api').clientId, client_secret: require('firebase-tools/lib/api').clientSecret})
});

But it seems quite fragile if firebase-tools ever decide to change the location of the refresh token / client id / secret.

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[hiranya911]

I don't see a ton of usage since this will only help developers running the SDK locally. If we make the existing applicationDefault() support the CLI credentials we would be deviating from the standard ADC protocol which is somewhat risky. That change is also not portable to other languages like Java and Python since their implementations of applicationDefault() are provided by the respective GCP libraries.

In any case, I was under the impression that the Firebase CLI uses the same credentials as the gcloud SDK. Is that not the case?

@ryanpbrewster what do you think?

[proppy]

we would be deviating from the standard ADC protocol which is somewhat risky

@hiranya911 another option could be to have firebase-tools store its credentials in the ADC format (i.e: same as gcloud),

That would have the benefit to stick to the standard and works out of the box with GOOGLE_APPLICATION_CREDENTIALS env var.

[hiranya911]

@samtstern wdyt? Does it make sense to change either the SDK or the CLI to support a common credentials format?

[samtstern]

We have already formalized the hack @proppy suggested for use inside the Functions emulator:
https://github.com/firebase/firebase-tools/blob/master/src/defaultCredentials.ts#L63

We set GOOGLE_APPLICATION_CREDENTIALS to a temporary file that we construct based on the CLI's credentials. I don't have a problem with making this hack more formal but here are some things to think about:

1. The firebase login credentials are End User Credentials (EUC) which Cloud is trying to move away from. They don't work for certain APIs, most notably Firebase Auth rejects them. So they're not always appropriate for the Admin SDK. This is no different from gcloud auth application-default login but we'd just be late to a party that's almost over :-)
2. Some people may find this behavior surprising if their firebase login credentials are old or irrelevant and their Admin SDK suddenly starts using them.
3. I think we could maybe find a middle ground by making some command like firebase login:export-credentials which writes a temporary file in the right format (like the code I linked) and then returns a path, so that you could do GOOGLE_APPLICATION_CREDENTIALS=$(firebase login:export-credentials) if you want to explicitly use Firebase creds.

[hiranya911]

Closing since I don't see any action items for this repo. There may be some possible ideas for improvements in firebase-tools, but that should be reported and addressed separately in the correct GitHub repo.