FirbaseAdmin.Auth().verifyIdToken not tenant aware

[Penberthy-gossan]

• Operating System version: run.googleapis.com (linux)
• Firebase SDK version: 5.1.0
• Firebase Product: Admin auth
• Node.js version: 20
• NPM version: 10.8.2

Verify id tokens in firebase functions will fail when using tenants in Google Identity platform

Steps to reproduce:

1 Create a app in Firebase and enable google identitiy platform.
2 Add tenant to identities platform
3 Add user to tenant
4 Log into app using user and tenant id
5 call google function from app
6 in function attempt to verify id token with FirebaseAdmin.auth().verifyIdToken('tokenString')

error
Error: There is no user record corresponding to the provided identifier.

Relevant Code:

  var token = await admin.auth() .verifyIdToken(req.rawRequest.header('Authorization').substring(7),true);

I could use the TenantAuth but to get that I would need the TennantId which is in the token, which you can access by verifying the token but like I said you need to know the tenant for that. I could manually scrape the tenantId from the jet by parsing it myself but then I have to hard code its location in the jwt firebase attribute with could change.

    var tenantAuth = await admin.auth().tenantManager().authForTenant(token.firebase.tenant);
    var token = await tenantAuth.verifyIdToken(req.rawRequest.header('Authorization').substring(7),true);

Expected functionality would be that it detect the presence of a tenant in the firebase attribute and attempt to get the correct tenantAuth instance and use that to verify.

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.