firebase · moander · Feb 26, 2020 · Feb 27, 2020 · Feb 27, 2020 · Feb 27, 2020
diff --git a/FirebaseAdmin/FirebaseAdmin.Tests/Auth/FirebaseTokenFactoryTest.cs b/FirebaseAdmin/FirebaseAdmin.Tests/Auth/FirebaseTokenFactoryTest.cs
@@ -36,7 +36,16 @@ public async Task CreateCustomToken()
             var clock = new MockClock();
             var factory = new FirebaseTokenFactory(new MockSigner(), clock);
             var token = await factory.CreateCustomTokenAsync("user1");
-            VerifyCustomToken(token, "user1", null);
+            VerifyCustomToken(token, "user1", null, null);
+        }
+
+        [Fact]
+        public async Task CreateCustomTenantToken()
+        {
+            var clock = new MockClock();
+            var factory = new FirebaseTokenFactory(new MockSigner(), clock, "test-01abc");
+            var token = await factory.CreateCustomTokenAsync("user1");
+            VerifyCustomToken(token, "user1", null, "test-01abc");
         }
 
         [Fact]
@@ -46,7 +55,7 @@ public async Task CreateCustomTokenWithEmptyClaims()
             var factory = new FirebaseTokenFactory(new MockSigner(), clock);
             var token = await factory.CreateCustomTokenAsync(
                 "user1", new Dictionary<string, object>());
-            VerifyCustomToken(token, "user1", null);
+            VerifyCustomToken(token, "user1", null, null);
         }
 
         [Fact]
@@ -61,7 +70,7 @@ public async Task CreateCustomTokenWithClaims()
                 { "magicNumber", 42L },
             };
             var token = await factory.CreateCustomTokenAsync("user2", developerClaims);
-            VerifyCustomToken(token, "user2", developerClaims);
+            VerifyCustomToken(token, "user2", developerClaims, null);
         }
 
         [Fact]
@@ -92,7 +101,7 @@ await Assert.ThrowsAsync<ArgumentException>(
         }
 
         private static void VerifyCustomToken(
-            string token, string uid, Dictionary<string, object> claims)
+            string token, string uid, Dictionary<string, object> claims, string tenantId)
         {
             string[] segments = token.Split(".");
             Assert.Equal(3, segments.Length);
@@ -108,6 +117,7 @@ private static void VerifyCustomToken(
             Assert.Equal(MockSigner.KeyIdString, payload.Subject);
             Assert.Equal(uid, payload.Uid);
             Assert.Equal(FirebaseTokenFactory.FirebaseAudience, payload.Audience);
+            Assert.Equal(tenantId, payload.TenantId);
             if (claims == null)
             {
                 Assert.Null(payload.Claims);

diff --git a/FirebaseAdmin/FirebaseAdmin.Tests/Auth/FirebaseTokenVerifierTest.cs b/FirebaseAdmin/FirebaseAdmin.Tests/Auth/FirebaseTokenVerifierTest.cs
@@ -40,15 +40,28 @@ public class FirebaseTokenVerifierTest : IDisposable
 
         private static readonly FirebaseTokenVerifier TokenVerifier = new FirebaseTokenVerifier(
             new FirebaseTokenVerifierArgs()
-        {
-            ProjectId = "test-project",
-            ShortName = "ID token",
-            Operation = "VerifyIdTokenAsync()",
-            Url = "https://firebase.google.com/docs/auth/admin/verify-id-tokens",
-            Issuer = "https://securetoken.google.com/",
-            Clock = Clock,
-            PublicKeySource = KeySource,
-        });
+            {
+                ProjectId = "test-project",
+                ShortName = "ID token",
+                Operation = "VerifyIdTokenAsync()",
+                Url = "https://firebase.google.com/docs/auth/admin/verify-id-tokens",
+                Issuer = "https://securetoken.google.com/",
+                Clock = Clock,
+                PublicKeySource = KeySource,
+            });
+
+        private static readonly FirebaseTokenVerifier TenantTokenVerifier = new FirebaseTokenVerifier(
+            new FirebaseTokenVerifierArgs()
+            {
+                ProjectId = "test-project",
+                ShortName = "ID token",
+                Operation = "VerifyIdTokenAsync()",
+                Url = "https://firebase.google.com/docs/auth/admin/verify-id-tokens",
+                Issuer = "https://securetoken.google.com/",
+                Clock = Clock,
+                PublicKeySource = KeySource,
+                TenantId = "test-01abc",
+            });
 
         private static readonly GoogleCredential MockCredential =
             GoogleCredential.FromAccessToken("test-token");
@@ -76,6 +89,31 @@ public async Task ValidToken()
             Assert.Equal("bar", value);
         }
 
+        [Fact]
+        public async Task ValidTenantToken()
+        {
+            var payload = new Dictionary<string, object>()
+            {
+                { "firebase", new { tenant = "test-01abc" } },
+            };
+            var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
+            var decoded = await TenantTokenVerifier.VerifyTokenAsync(idToken);
+            Assert.Equal("test-01abc", ((Newtonsoft.Json.Linq.JObject)decoded.Claims["firebase"]).GetValue("tenant").ToString());
+        }
+
+        [Fact]
+        public async Task InvalidTenantToken()
+        {
+            var idToken = await CreateTestTokenAsync(payloadOverrides: new Dictionary<string, object>()
+            {
+                { "firebase", new { tenant = "test-01abc" } },
+            });
+            await Assert.ThrowsAsync<FirebaseAuthException>(async () => await TokenVerifier.VerifyTokenAsync(idToken));
+
+            idToken = await CreateTestTokenAsync(payloadOverrides: new Dictionary<string, object>());
+            await Assert.ThrowsAsync<FirebaseAuthException>(async () => await TenantTokenVerifier.VerifyTokenAsync(idToken));
+        }
+
         [Fact]
         public async Task InvalidArgument()
         {

diff --git a/FirebaseAdmin/FirebaseAdmin/Auth/FirebaseAuth.cs b/FirebaseAdmin/FirebaseAdmin/Auth/FirebaseAuth.cs
@@ -39,6 +39,7 @@ internal FirebaseAuth(FirebaseAuthArgs args)
             this.tokenFactory = args.TokenFactory.ThrowIfNull(nameof(args.TokenFactory));
             this.idTokenVerifier = args.IdTokenVerifier.ThrowIfNull(nameof(args.IdTokenVerifier));
             this.userManager = args.UserManager.ThrowIfNull(nameof(args.UserManager));
+            this.TenantId = args.TenantId;
         }
 
         /// <summary>
@@ -59,23 +60,35 @@ public static FirebaseAuth DefaultInstance
             }
         }
 
+        /// <summary>
+        /// Gets the tenant ID for this auth instance.
+        /// </summary>
+        public string TenantId { get; }
+
         /// <summary>
         /// Returns the auth instance for the specified app.
         /// </summary>
         /// <returns>The <see cref="FirebaseAuth"/> instance associated with the specified
         /// app.</returns>
         /// <exception cref="System.ArgumentNullException">If the app argument is null.</exception>
+        /// <exception cref="System.ArgumentException">If the tenantId argument is invalid.</exception>
         /// <param name="app">An app instance.</param>
-        public static FirebaseAuth GetAuth(FirebaseApp app)
+        /// <param name="tenantId">The tenant ID to manage (optional).</param>
+        public static FirebaseAuth GetAuth(FirebaseApp app, string tenantId = null)
         {
             if (app == null)
             {
                 throw new ArgumentNullException("App argument must not be null.");
             }
 
-            return app.GetOrInit<FirebaseAuth>(typeof(FirebaseAuth).Name, () =>
+            if (tenantId != null && !System.Text.RegularExpressions.Regex.IsMatch(tenantId, "^[a-zA-Z0-9-]+$"))
             {
-                return new FirebaseAuth(FirebaseAuthArgs.Create(app));
+                throw new ArgumentException("The tenant ID must be null or a valid non-empty string.", "tenantId");
+            }
+
+            return app.GetOrInit<FirebaseAuth>(typeof(FirebaseAuth).Name + tenantId, () =>
+            {
+                return new FirebaseAuth(FirebaseAuthArgs.Create(app, tenantId));
             });
         }
 
@@ -586,16 +599,19 @@ internal sealed class FirebaseAuthArgs
 
             internal Lazy<FirebaseUserManager> UserManager { get; set; }
 
-            internal static FirebaseAuthArgs Create(FirebaseApp app)
+            internal string TenantId { get; set; }
+
+            internal static FirebaseAuthArgs Create(FirebaseApp app, string tenantId)
             {
                 return new FirebaseAuthArgs()
                 {
                     TokenFactory = new Lazy<FirebaseTokenFactory>(
-                        () => FirebaseTokenFactory.Create(app), true),
+                        () => FirebaseTokenFactory.Create(app, tenantId), true),
                     IdTokenVerifier = new Lazy<FirebaseTokenVerifier>(
-                        () => FirebaseTokenVerifier.CreateIDTokenVerifier(app), true),
+                        () => FirebaseTokenVerifier.CreateIDTokenVerifier(app, tenantId), true),
                     UserManager = new Lazy<FirebaseUserManager>(
-                        () => FirebaseUserManager.Create(app), true),
+                        () => FirebaseUserManager.Create(app, tenantId), true),
+                    TenantId = tenantId,
                 };
             }
         }

diff --git a/FirebaseAdmin/FirebaseAdmin/Auth/FirebaseTokenArgs.cs b/FirebaseAdmin/FirebaseAdmin/Auth/FirebaseTokenArgs.cs
@@ -36,5 +36,14 @@ internal sealed class FirebaseTokenArgs
 
         [JsonIgnore]
         public IReadOnlyDictionary<string, object> Claims { get; set; }
+
+        [JsonProperty("firebase")]
+        internal FirebaseClaims Firebase { get; set; }
+
+        internal sealed class FirebaseClaims
+        {
+            [JsonProperty("tenant")]
+            public string TenantId { get; set; }
+        }
     }
 }
diff --git a/FirebaseAdmin/FirebaseAdmin/Auth/FirebaseTokenFactory.cs b/FirebaseAdmin/FirebaseAdmin/Auth/FirebaseTokenFactory.cs
@@ -61,14 +61,16 @@ internal class FirebaseTokenFactory : IDisposable
 
         private readonly ISigner signer;
         private readonly IClock clock;
+        private readonly string tenantId;
 
-        public FirebaseTokenFactory(ISigner signer, IClock clock)
+        public FirebaseTokenFactory(ISigner signer, IClock clock, string tenantId = null)
         {
             this.signer = signer.ThrowIfNull(nameof(signer));
             this.clock = clock.ThrowIfNull(nameof(clock));
+            this.tenantId = tenantId;
         }
 
-        public static FirebaseTokenFactory Create(FirebaseApp app)
+        public static FirebaseTokenFactory Create(FirebaseApp app, string tenantId)
         {
             ISigner signer = null;
             var serviceAccount = app.Options.Credential.ToServiceAccountCredential();
@@ -90,7 +92,7 @@ public static FirebaseTokenFactory Create(FirebaseApp app)
                 signer = FixedAccountIAMSigner.Create(app);
             }
 
-            return new FirebaseTokenFactory(signer, SystemClock.Default);
+            return new FirebaseTokenFactory(signer, SystemClock.Default, tenantId);
         }
 
         public async Task<string> CreateCustomTokenAsync(
@@ -135,6 +137,7 @@ public async Task<string> CreateCustomTokenAsync(
                 Audience = FirebaseAudience,
                 IssuedAtTimeSeconds = issued,
                 ExpirationTimeSeconds = issued + TokenDurationSeconds,
+                TenantId = this.tenantId,
             };
 
             if (developerClaims != null && developerClaims.Count > 0)
@@ -156,6 +159,9 @@ internal class CustomTokenPayload : JsonWebToken.Payload
             [Newtonsoft.Json.JsonPropertyAttribute("uid")]
             public string Uid { get; set; }
 
+            [Newtonsoft.Json.JsonPropertyAttribute("tenant_id")]
+            public string TenantId { get; set; }
+
             [Newtonsoft.Json.JsonPropertyAttribute("claims")]
             public IDictionary<string, object> Claims { get; set; }
         }

diff --git a/FirebaseAdmin/FirebaseAdmin/Auth/FirebaseTokenVerifier.cs b/FirebaseAdmin/FirebaseAdmin/Auth/FirebaseTokenVerifier.cs
@@ -57,6 +57,7 @@ internal sealed class FirebaseTokenVerifier
         internal FirebaseTokenVerifier(FirebaseTokenVerifierArgs args)
         {
             this.ProjectId = args.ProjectId.ThrowIfNullOrEmpty(nameof(args.ProjectId));
+            this.TenantId = args.TenantId;
             this.shortName = args.ShortName.ThrowIfNullOrEmpty(nameof(args.ShortName));
             this.operation = args.Operation.ThrowIfNullOrEmpty(nameof(args.Operation));
             this.url = args.Url.ThrowIfNullOrEmpty(nameof(args.Url));
@@ -75,7 +76,9 @@ internal FirebaseTokenVerifier(FirebaseTokenVerifierArgs args)
 
         public string ProjectId { get; }
 
-        internal static FirebaseTokenVerifier CreateIDTokenVerifier(FirebaseApp app)
+        public string TenantId { get; }
+
+        internal static FirebaseTokenVerifier CreateIDTokenVerifier(FirebaseApp app, string tenantId = null)
         {
             var projectId = app.GetProjectId();
             if (string.IsNullOrEmpty(projectId))
@@ -89,6 +92,7 @@ internal static FirebaseTokenVerifier CreateIDTokenVerifier(FirebaseApp app)
             var args = new FirebaseTokenVerifierArgs()
             {
                 ProjectId = projectId,
+                TenantId = tenantId,
                 ShortName = "ID token",
                 Operation = "VerifyIdTokenAsync()",
                 Url = "https://firebase.google.com/docs/auth/admin/verify-id-tokens",
@@ -152,6 +156,13 @@ internal async Task<FirebaseToken> VerifyTokenAsync(
                 error = $"{this.shortName} has incorrect audience (aud) claim. Expected {this.ProjectId} "
                     + $"but got {payload.Audience}. {projectIdMessage} {verifyTokenMessage}";
             }
+            else if (this.TenantId != payload.Firebase?.TenantId)
+            {
+                var expectedTenantId = this.TenantId == null ? "null" : this.TenantId;
-                var expectedTenantId = this.TenantId == null ? "null" : this.TenantId;
+                var expectedTenantId = this.TenantId ?? "null";
-                var expectedTenantId = this.TenantId == null ? "null" : this.TenantId;
+                var expectedTenantId = this.TenantId ?? "null";
+                var actualTenantId = payload.Firebase?.TenantId == null ? "null" : payload.Firebase.TenantId;
+                error = $"{this.shortName} has incorrect tenant ID (firebase.tenant) claim. Expected {expectedTenantId} "
+                    + $"but got {actualTenantId}. {verifyTokenMessage}";
+            }
             else if (payload.Issuer != issuer)
             {
                 error = $"{this.shortName} has incorrect issuer (iss) claim. Expected {issuer} but "

diff --git a/FirebaseAdmin/FirebaseAdmin/Auth/FirebaseTokenVerifierArgs.cs b/FirebaseAdmin/FirebaseAdmin/Auth/FirebaseTokenVerifierArgs.cs
@@ -20,6 +20,8 @@ internal sealed class FirebaseTokenVerifierArgs
     {
         public string ProjectId { get; set; }
 
+        public string TenantId { get; set; }
+
         public string ShortName { get; set; }
 
         public string Operation { get; set; }

diff --git a/FirebaseAdmin/FirebaseAdmin/Auth/FirebaseUserManager.cs b/FirebaseAdmin/FirebaseAdmin/Auth/FirebaseUserManager.cs
@@ -42,6 +42,8 @@ internal class FirebaseUserManager : IDisposable
 
         private const string IdTooklitUrl = "https://identitytoolkit.googleapis.com/v1/projects/{0}";
 
+        private const string IdTooklitTenantUrl = "https://identitytoolkit.googleapis.com/v1/projects/{0}/tenants/{1}";
+
         private readonly ErrorHandlingHttpClient<FirebaseAuthException> httpClient;
         private readonly string baseUrl;
 
@@ -63,22 +65,23 @@ internal FirebaseUserManager(Args args)
                     DeserializeExceptionHandler = AuthErrorHandler.Instance,
                     RetryOptions = args.RetryOptions,
                 });
-            this.baseUrl = string.Format(IdTooklitUrl, args.ProjectId);
+            this.baseUrl = string.Format(args.TenantId != null ? IdTooklitTenantUrl : IdTooklitUrl, args.ProjectId, args.TenantId);
-            this.baseUrl = string.Format(args.TenantId != null ? IdTooklitTenantUrl : IdTooklitUrl, args.ProjectId, args.TenantId);
+            if (!string.IsNullOrEmpty(args.TenantId)
+            {
+                this.baseUrl = string.Format(IdTooklitTenantUrl, args.ProjectId, args.TenantId);
+            }
+            else
+            {
+                this.baseUrl = string.Format(IdTooklitUrl, args.ProjectId);
+            }
-            this.baseUrl = string.Format(args.TenantId != null ? IdTooklitTenantUrl : IdTooklitUrl, args.ProjectId, args.TenantId);
+            if (!string.IsNullOrEmpty(args.TenantId)
+            {
+                this.baseUrl = string.Format(IdTooklitTenantUrl, args.ProjectId, args.TenantId);
+            }
+            else
+            {
+                this.baseUrl = string.Format(IdTooklitUrl, args.ProjectId);
+            }
         }
 
         public void Dispose()
         {
             this.httpClient.Dispose();
         }
 
-        internal static FirebaseUserManager Create(FirebaseApp app)
+        internal static FirebaseUserManager Create(FirebaseApp app, string tenantId)
         {
             var args = new Args
             {
                 ClientFactory = app.Options.HttpClientFactory,
                 Credential = app.Options.Credential,
                 ProjectId = app.GetProjectId(),
                 RetryOptions = RetryOptions.Default,
+                TenantId = tenantId,
             };
 
             return new FirebaseUserManager(args);
@@ -295,6 +298,8 @@ internal sealed class Args
 
             internal string ProjectId { get; set; }
 
+            internal string TenantId { get; set; }
+
             internal RetryOptions RetryOptions { get; set; }
         }