Skip to content

Enable OIDC Token Exchange for BYO-CIAM (R-GCIP) #14983

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: exchange-token-implementation
Choose a base branch
from
Open

Enable OIDC Token Exchange for BYO-CIAM (R-GCIP) #14983

wants to merge 1 commit into from

Conversation

srushtisv
Copy link
Contributor

Description

This PR adds new public methods to Auth to support exchanging a third-party OIDC ID token for a Firebase ID token. This functionality is essential for the Bring Your Own CIAM (BYO-CIAM) feature, allowing integration with external OIDC providers within a Regionalized GCIP (R-GCIP) setup.

New Public API:

  • struct FirebaseToken: Sendable: Holds the exchanged token (String) and its expirationDate (Date).
  • Auth.exchangeToken(customToken: String, idpConfigId: String, useStaging: Bool, completion: @escaping (FirebaseToken?, Error?) -> Void): Method to exchange the token, taking a completion handler.
  • Auth.exchangeToken(customToken: String, idpConfigId: String, useStaging: Bool) async throws -> FirebaseToken: Async/await version of the token exchange method.

Details:

  • The exchangeToken methods use the ExchangeTokenRequest and ExchangeTokenResponse types to interact with the regionalized identityplatform.googleapis.com backend.
  • These methods require that the Auth instance has been configured with a TenantConfig (via Auth.auth(app:tenantConfig:)), as location and tenantId are necessary to construct the correct regional endpoint URL. An error is returned if these are not set.
  • Unlike standard sign-in methods, this flow does not create or update the currentUser on the Auth instance. It purely exchanges a token.

Introduces new public API surface to FirebaseAuth. This change depends on the previously introduced TenantConfig, ExchangeTokenRequest, and ExchangeTokenResponse.

@gemini-code-assist Gemini Code Assist
Copy link
Contributor

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in issue comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

@google-oss-bot
Copy link

1 Warning
⚠️ Did you forget to add a changelog entry? (Add #no-changelog to the PR description to silence this warning.)

Generated by 🚫 Danger

@srushtisv srushtisv self-assigned this Jun 16, 2025
@srushtisv srushtisv marked this pull request as ready for review June 16, 2025 07:52
@srushtisv srushtisv requested review from pashanka and ncooke3 June 16, 2025 07:52
ncooke3
ncooke3 reviewed Jun 18, 2025
View reviewed changes
FirebaseAuth/Sources/Swift/Auth/Auth.swift

/// Represents the result of a successful OIDC token exchange, containing a Firebase ID token
/// and its expiration.
public struct FirebaseToken: Sendable {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same point in the TenantConfig PR, is the nesting (e.g. Auth.FirebaseToken) intentional?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

ncooke3
ncooke3 reviewed Jun 18, 2025
View reviewed changes
FirebaseAuth/Sources/Swift/Auth/Auth.swift
Comment on lines +2492 to +2495
func exchangeToken(idToken: String,
idpConfigId: String,
useStaging: Bool = false,
completion: @escaping (FirebaseToken?, Error?) -> Void) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer if we don't introduce new API that uses completion handlers. As least initially, new async API should be async/await only unless there a reason for completion handler (e.g. objc support, etc.)

FirebaseAuth/Sources/Swift/Auth/Auth.swift
guard let _ = requestConfiguration.location,
let _ = requestConfiguration.tenantId
else {
throw AuthErrorUtils.operationNotAllowedError(message: "R-GCIP is not configured.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think this should instead cause a fatal error? When do we anticipate this case triggering, during development or possibly in live app's execution?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be during development. Unless the developer pushes their app without testing :)

pashanka
pashanka requested changes Jun 19, 2025
View reviewed changes
FirebaseAuth/Sources/Swift/Auth/Auth.swift

/// Represents the result of a successful OIDC token exchange, containing a Firebase ID token
/// and its expiration.
public struct FirebaseToken: Sendable {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

FirebaseAuth/Sources/Swift/Auth/Auth.swift
idToken: idToken,
idpConfigID: idpConfigId,
config: requestConfiguration,
useStaging: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this value come from useStaging above?

FirebaseAuth/Sources/Swift/Auth/Auth.swift
guard let _ = requestConfiguration.location,
let _ = requestConfiguration.tenantId
else {
throw AuthErrorUtils.operationNotAllowedError(message: "R-GCIP is not configured.")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be during development. Unless the developer pushes their app without testing :)

FirebaseAuth/Sources/Swift/Auth/Auth.swift
idToken: idToken,
idpConfigID: idpConfigId,
config: requestConfiguration,
useStaging: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, won't we end up always using staging here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ncooke3 ncooke3 ncooke3 left review comments

@pashanka pashanka pashanka requested changes

Assignees

@srushtisv srushtisv

Labels
api: auth
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@srushtisv @google-oss-bot @ncooke3 @pashanka