Firebase Auth ID token has incorrect "aud" claim

Your problem may be that you are trying to use the JWT token returned by one of the auth() functions like firebaseRef.auth().signInWithPopup(). These do return a JWT token, however the auth claims will likely be wrong and won't pass verification by verifyIdToken. Firebase tech support confirmed this.

You have to use the firebaseRef.auth().currentUser.getToken() function. That token will pass verification.


TLDR: As mentioned in another answer, you are not correctly initializing the App.

Although, I'm a bit late on this, I had the same issue, so I decided to dive in and see what was going on behind the hood.

First off, unless the API has changed since this question was asked, serviceAccount doesn't exist as a property as part of the AppOptions interface, which is probably why you were getting the error. So I'm going to assume what you have there is meant to be in the credential key.

Second, you see that this error is thrown at https://github.com/firebase/firebase-admin-node/blob/master/src/auth/token-verifier.ts (line 187 at the time of this writing) where the aud claim in the token is compared against this.projectId.

Now, as other answers mention, this could be because the token that you are trying to verify was not created client-side, but by some other custom method, in which case the aud claim could be non-existent, something completely random, or something that definitely won't equal your projectId so you should check that first.

However, if you are certain the token was created client-side, then it boils down to projectId not being set, or at least not set in the way you expect. If you look at the getProjectId() method in https://github.com/firebase/firebase-admin-node/blob/master/src/utils/index.ts (line 66 at the time of this writing), you see that the projectId is determined in one of 3 ways: from the app.options object directly, from the projectId property in app.options.credential, OR from process.env.GOOGLE_CLOUD_PROJECT || process.env.GCLOUD_PROJECT. This means that if the projectId is not set and if your project is hosted on GCloud (which I'm assuming stripmall-0000 is), then Google will automagically use your current environment's projectId for anything related to firebase-auth, not the projectId of the originating project.

So, three options:

  1. Initialize your app with projectId set directly in AppOptions:

    firebase.initializeApp({
        databaseURL: <my db url here>,
        // Set your projectId directly here in options:
        projectId: <your-projectId-here>
    });
    
  2. Or probably better to do this way by setting your credentials object properly:

    firebase.initializeApp({
        credentials: admin.credential.cert(<<path-to-your-certificate> || <admin.ServiceAccount object>>),
        databaseURL: <my db url here>
    });
    
  3. Or, just host the app within the same project as your firebase app (now that they are part of the same ecosystem) so that the environment variables are the same. (Not actually 100% about this, but I'm assuming this is how firebase-functions a.k.a. cloud-functions works)


The problem for me was not the token but that I needed to initialize my backend using a service account. Doing that you can also test and debug from the local dev server.

FileInputStream serviceAccount = new FileInputStream("path/to/serviceAccountKey.json");

FirebaseOptions options = new FirebaseOptions.Builder()
            .setCredentials(GoogleCredentials.fromStream(serviceAccount))
            .setDatabaseUrl("https://<DATABASE_NAME>.firebaseio.com/")
            .build();

FirebaseApp.initializeApp(options);
FirebaseAuth firebaseAuth = FirebaseAuth.getInstance();

// Get the FB uid from the token
FirebaseToken decodedToken = firebaseAuth.verifyIdTokenAsync(token).get();
String uid = decodedToken.getUid();

source: https://firebase.google.com/docs/admin/setup


As Thach Lockevn mentioned in the comments The solution that worked for me was:

import { AngularFireAuth } from '@angular/fire/auth';
import { auth } from 'firebase/app';

this.angularFireAuth.signInWithPopup(new auth.GoogleAuthProvider()).then((googleAuth) => {
        this.user = googleAuth.user;
        googleAuth.user.getIdToken().then(tkn => {
            this.token = tkn;
            //send the token to the backend...
        });
    });