Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Google Cloud Session control #1846

Closed
IchordeDionysos opened this issue Dec 4, 2019 · 4 comments · Fixed by #6771
Closed

Google Cloud Session control #1846

IchordeDionysos opened this issue Dec 4, 2019 · 4 comments · Fixed by #6771
Assignees

Comments

@IchordeDionysos
Copy link
Contributor

[REQUIRED] Environment info

firebase-tools: 7.3.2

Platform: macOS

[REQUIRED] Test case

Enable Google Cloud Session control as described here:
https://support.google.com/a/answer/9368756?hl=en&ref_topic=7558662

Login to Firebase using firebase login, run for example firebase deploy.
Wait until reauthentication would be required.
Try to run firebase deploy again.

[REQUIRED] Expected behavior

Firebase CLI asks as the gcloud SDK for reauthentication.

[REQUIRED] Actual behavior

Firebase command fails with:

Error: HTTP Error: 401, Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
@google-oss-bot
Copy link
Contributor

This issue does not seem to follow the issue template. Make sure you provide all the required information.

@bkendall
Copy link
Contributor

bkendall commented Dec 4, 2019

This is going to be interesting to solve. Unfortunately, since the documentation you describe is labeled "beta", I'm hesitant to jump on this right now to fix. I would have to go digging into the authentication flow code as well to figure out where the error would be returned and figure out how to re-authenticate.

I'll leave this open for the time being, though I'm not sure when we'd get to it.

@IchordeDionysos
Copy link
Contributor Author

@bkendall this is no longer beta :D

And actually, the Google Workspace team forces the 16h-session duration now on Workspace customers :)
https://workspaceupdates.googleblog.com/2023/03/google-cloud-session-length-default-update.html

So this will be more and more a problem for people!

@joehan joehan self-assigned this Mar 28, 2023
@IchordeDionysos
Copy link
Contributor Author

@bkendall @joehan I did some investigation on what error comes back from the Google token servers:

[debug] [2023-04-19T06:17:55.283Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[debug] [2023-04-19T06:17:55.285Z] > authorizing via signed-in user ([email protected])
[debug] [2023-04-19T06:17:55.287Z] > refreshing access token with scopes: []
[debug] [2023-04-19T06:17:55.287Z] >>> [apiv2][query] POST https://www.googleapis.com/oauth2/v3/token [none]
[debug] [2023-04-19T06:17:55.287Z] >>> [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [stream]
[debug] [2023-04-19T06:17:55.754Z] <<< [apiv2][status] POST https://www.googleapis.com/oauth2/v3/token 400
[debug] [2023-04-19T06:17:55.755Z] <<< [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token {"error":"invalid_grant","error_description":"reauth related error (invalid_rapt)","error_uri":"https://support.google.com/a/answer/9368756","error_subtype":"invalid_rapt"}

So it seems like checking for error == invalid_grant and then error_subtype == invalid_rapt would be the place to force reauthentication.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants