implementing regionalized auth and exchangeToken #14865
Conversation
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback. |
Generated by 🚫 Danger |
| } | ||
|
|
||
| /// Holds a Firebase ID token and its expiration. | ||
| public struct AuthExchangeToken: Sendable { |
There was a problem hiding this comment.
Should we call it FirebaseToken instead? AuthExchange was name for a different project and I think we should avoid that name.
| /// Holds a Firebase ID token and its expiration. | ||
| public struct AuthExchangeToken: Sendable { | ||
| public let token: String | ||
| public let expirationDate: Date? |
| // public static func auth(app: FirebaseApp, tenantConfig: nil) -> Auth { | ||
| // let auth = auth(app: app) | ||
| // return auth | ||
| // } |
There was a problem hiding this comment.
Do we need this commented code?
| /// R-GCIP region, set once during Auth init. | ||
| var location: String? | ||
|
|
||
| /// R-GCIP tenantId, set once during Auth init. | ||
| var tenantId: String? | ||
|
|
There was a problem hiding this comment.
Any reason we are setting this separately? Why can't we have tenantConfig here?
| apiProtocol = kHttpProtocol | ||
| apiHostAndPathPrefix = "\(emulatorHostAndPort)/\(kRegionalGCIPAPIHost)" |
There was a problem hiding this comment.
Do we support this new endpoint in the emulator? If not, shouldn't we throw exception here saying not supported? IIUC, for this to work, we need the new identityplatform's api supported on the emulator, let me know if this is something else.
|
|
||
| import Foundation | ||
|
|
||
| private let kCustomTokenKey = "customToken" |
There was a problem hiding this comment.
What is the significance of this? And why are we using customToken as the name here, probably we should use exchangeToken instead
| "exchangeOidcToken requires `auth.location` & `auth.tenantID`" | ||
| ) | ||
| } | ||
| _ = "\(region)-identityplatform.googleapis.com" |
There was a problem hiding this comment.
nit: Let us use the location term instead of region as region has different meaning.
| _ = "\(region)-identityplatform.googleapis.com" | ||
| return "/v2alpha/projects/\(project)/locations/\(region)" + | ||
| "/tenants/\(tenant)/idpConfigs/\(idpConfigID):exchangeOidcToken" |
There was a problem hiding this comment.
For prod-global we will not have (region)-identityplatform, instead it will be just identityplatform. Please add a special check for that.
Feature: Implement Firebase Token Exchange with Tenant Configuration
Description
This PR introduces a new API for exchanging tokens with Firebase, supporting multi-tenancy through a
TenantConfigstruct. Key changes include:Authclass:auth(app: FirebaseApp, tenantConfig: TenantConfig)to create anAuthinstance with a specific tenant configuration.exchangeTokenfunction:asyncfunctionexchangeToken(_ idToken: String, idpConfigId: String)to handle token exchange asynchronously.TenantConfigstruct:locationandtenantId.AuthExchangeTokenstruct:API Changes
Authclass with static methodauth(app: FirebaseApp, tenantConfig: TenantConfig) -> Auth.exchangeTokenfunction:func exchangeToken( idToken: String, idpConfigId: String) async throws -> AuthExchangeToken.TenantConfigstruct.AuthExchangeTokenstruct.