Feature Request: Official support for integration with firebase-admin and google-auth-library ExternalAccountClient.

[LumaKernel]

Is your feature request related to a problem? Please describe.
firebase-admin requires credential in STS response format, but it is not exposed:

https://github.com/LumaKernel/google-auth-library-nodejs/blob/21a91c2c6e5317e6f6e2e8709bca2953999f98d4/src/auth/baseexternalclient.ts#L432-L432

We can calculate STS response from cachedAccessToken that is calculated from above, but it is private field.

Describe the solution you'd like
Exposing cached STS response, and optionally, exposing cachedAccessToken.

Describe alternatives you've considered
Only storing cached STS response and make cachedAccessToken getter.

Additional context

Workaround:

import admin from 'firebase-admin'
import type { GoogleOAuthAccessToken } from 'firebase-admin/app'
import type { FooAccountClient, Credentials as GoogleAPICredentials } from 'google-auth-library'

// Converting to original STS response format.
const convertToFirebaseCredential = (gapiCred: GoogleAPICredentials): GoogleOAuthAccessToken => {
  const { access_token, expiry_date } = gapiCred
  if (typeof access_token !== 'string')
    throw new Error('Google auth credential without access_token is incompatible')
  if (typeof expiry_date !== 'number')
    throw new Error('Google auth credential without expiry_date is incompatible')
  return {
    access_token,
    // inverse opertation of following
    // https://github.com/googleapis/google-auth-library-nodejs/blob/5ed910513451c82e2551777a3e2212964799ef8e/src/auth/baseexternalclient.ts#L446-L446
    expires_in: Math.floor((expiry_date - new Date().getTime()) / 1000),
  }
}

// Usage example
const createApp = async () => {
  const client = new FooAccountClient({ /* ... */ });
  const credential = {
    getAccessToken: async () => {
      await client.getAccessToken()
      // cachedAccessToken is private
      const gapiCred: GoogleAPICredentials = (client as any).cachedAccessToken
      return convertToFirebaseCredential(gapiCred)
    },
  };
  admin.initializeApp({
    // ...
    credential,
  });
}

It is real working workaround in our project.

[bcoe]

@hiranya911, @lahirumaramba, I'm not very familiar with firebase-admin, I don't suppose you have any thoughts as to what the interface should look like to make it easier to integrate google-auth-library?

Would happily take a patch.

[jpike88]

????? @bcoe you literally work for Google. How do you not have a contact at the Firebase team that can help dive in and make things right?

I've spent many many hours to diagnose and create the below issue, it seems like this lib and firebase's auth lib are on different planets, and for no good reason.

#1418

[irunika]

Do we have an idea of when this is going to release?
Are you saying we cannot verify a user if we are using the identity platform for the users?

Also, I tried to implement the workaround that is mentioned in #1322 (comment).
But FooAccountClient is not available in google-auth-library and I think it is a place holder. Which client should I use for the identity platform?

"firebase-admin": "^11.5.0",
"google-auth-library": "^8.7.0"

Can someone please point me to the correct version for the provided workaround?
All other services we have are running on GCP and we need to implement authentication for the app ASAP and this has become a blocker to proceed with our work in limited time.

[danielbankhead]

Current WIP:

• change: Migrate credentials to use google-auth-library firebase/firebase-admin-node#2466