Skip to content

Commit e455da8

Browse files
committed
Allow using a different Service Account ID for custom token generation
1 parent 96ba7d5 commit e455da8

File tree

2 files changed

+26
-4
lines changed

2 files changed

+26
-4
lines changed

src/Firebase/Auth/CustomTokenViaGoogleCredentials.php

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,11 @@ final class CustomTokenViaGoogleCredentials
2424

2525
private readonly Parser $parser;
2626

27-
public function __construct(private readonly SignBlobInterface $signer, private readonly ?string $tenantId = null)
27+
public function __construct(
28+
private readonly SignBlobInterface $signer,
29+
private readonly ?string $tenantId = null,
30+
private readonly ?string $serviceAccountIdForTokenGeneration = null,
31+
)
2832
{
2933
$this->encoder = new JoseEncoder();
3034
$this->parser = new Parser($this->encoder);
@@ -43,10 +47,12 @@ public function createCustomToken($uid, array $claims = [], ?DateTimeInterface $
4347
? DT::toUTCDateTimeImmutable($expiresAt)
4448
: $now->add(new DateInterval('PT1H'));
4549

50+
$issAndSub = $this->serviceAccountIdForTokenGeneration ?? $this->signer->getClientName();
51+
4652
$header = ['typ' => 'JWT', 'alg' => 'RS256'];
4753
$payload = [
48-
'iss' => $this->signer->getClientName(),
49-
'sub' => $this->signer->getClientName(),
54+
'iss' => $issAndSub,
55+
'sub' => $issAndSub,
5056
'aud' => 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit',
5157
'iat' => $now->getTimestamp(),
5258
'exp' => $expiresAt->getTimestamp(),

src/Firebase/Factory.php

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,11 @@ final class Factory
8383

8484
private ?ServiceAccount $serviceAccount = null;
8585

86+
/**
87+
* @var non-empty-string|null
88+
*/
89+
private ?string $serviceAccountIdForCustomTokenGeneration = null;
90+
8691
private ?FetchAuthTokenInterface $googleAuthTokenCredentials = null;
8792

8893
/**
@@ -164,6 +169,17 @@ public function withServiceAccount(string|array $value): self
164169
return $factory;
165170
}
166171

172+
/**
173+
* @param non-empty-string $serviceAccountId
174+
*/
175+
public function withServiceAccountIdForCustomTokenGeneration(string $serviceAccountId): self
176+
{
177+
$factory = clone $this;
178+
$factory->serviceAccountIdForCustomTokenGeneration = $serviceAccountId;
179+
180+
return $factory;
181+
}
182+
167183
/**
168184
* @param non-empty-string $projectId
169185
*/
@@ -685,7 +701,7 @@ private function createCustomTokenGenerator(): ?CustomTokenViaGoogleCredentials
685701
$credentials = $this->getGoogleAuthTokenCredentials();
686702

687703
if ($credentials instanceof SignBlobInterface) {
688-
return new CustomTokenViaGoogleCredentials($credentials, $this->tenantId);
704+
return new CustomTokenViaGoogleCredentials($credentials, $this->tenantId, $this->serviceAccountIdForCustomTokenGeneration);
689705
}
690706

691707
return null;

0 commit comments

Comments
 (0)