Firebase Auth ID token has incorrect "aud" claim

I'm trying to verify an idToken backend. The user has successfully logged in to firebase client side but when I try to verify the idToken on my backend I get this not very helpful error message

> Firebase Auth ID token has incorrect "aud" claim

The error message seems to have become a little more informative, and boils down to not having the project name in the auth key:

>Error: Firebase ID token has incorrect "aud" (audience) claim.
> Expected "stripmall-0000" but got
> "617699194096-0aafcvsml0gke61d6077kkark051f3e1.apps.googleusercontent.com".
> Make sure the ID token comes from the same Firebase project as the
> service account used to authenticate this SDK. See
>

[To see links please register here]

for
> details on how to retrieve an ID token.


Anyone with the slightest idea what could be wrong? I receive the tokenId correctly from the client so that shouldn't be a problem. Sincere appologies if this has been asked before or is trivial in any other way.

firebase.initializeApp({
serviceAccount: {
"type": "service_account",
"project_id": <project id here>,
"private_key_id": <key id goes here>,
"private_key": <key goes here>
"client_email": <email goes here>,
"client_id": <my client id>,
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": <url goes here>
},
databaseURL: <my db url here>
});

router.post("/verify", function (req, res) {
firebase.auth().verifyIdToken(req.body.idToken).then(function (decodedToken) {
var uid = decodedToken.sub;
res.send(uid);
}).catch(function (error, param2) {
console.log(error); // 'Firebase Auth ID token has incorrect "aud" claim'
});

});

If you are running locally, this error message also pops up if you have the incorrect GOOGLE_APPLICATION_CREDENTIALS environment variable. Check to see if the JSON key that is set with this environment variable matches that of project.

The problem for me was **not** the token but that I needed to initialize my backend using a service account. Doing that you can also test and debug from the local dev server.

FileInputStream serviceAccount = new FileInputStream("path/to/serviceAccountKey.json");

FirebaseOptions options = new FirebaseOptions.Builder()
.setCredentials(GoogleCredentials.fromStream(serviceAccount))
.setDatabaseUrl("https://<DATABASE_NAME>.firebaseio.com/")
.build();

FirebaseApp.initializeApp(options);
FirebaseAuth firebaseAuth = FirebaseAuth.getInstance();

// Get the FB uid from the token
FirebaseToken decodedToken = firebaseAuth.verifyIdTokenAsync(token).get();
String uid = decodedToken.getUid();

source:

[To see links please register here]

TLDR: As mentioned in another answer, you are not correctly initializing the App.

Although, I'm a bit late on this, I had the same issue, so I decided to dive in and see what was going on behind the hood.

First off, unless the API has changed since this question was asked, `serviceAccount` doesn't exist as a property as part of the `AppOptions` interface, which is probably why you were getting the error. So I'm going to assume what you have there is meant to be in the `credential` key.

Second, you see that this error is thrown at

[To see links please register here]

(line 187 at the time of this writing) where the `aud` claim in the token is compared against `this.projectId`.

Now, as other answers mention, this could be because the token that you are trying to verify was not created client-side, but by some other custom method, in which case the `aud` claim could be non-existent, something completely random, or something that definitely won't equal your `projectId` so you should check that first.

However, if you are certain the token was created client-side, then it boils down to `projectId` not being set, or at least not set in the way you expect. If you look at the `getProjectId()` method in

[To see links please register here]

(line 66 at the time of this writing), you see that the `projectId` is determined in one of 3 ways: from the `app.options` object directly, from the `projectId` property in `app.options.credential`, OR from `process.env.GOOGLE_CLOUD_PROJECT || process.env.GCLOUD_PROJECT`. This means that if the `projectId` is not set and if your project is hosted on GCloud (which I'm assuming `stripmall-0000` is), then Google will automagically use your current environment's projectId for anything related to firebase-auth, not the projectId of the originating project.

So, three options:

1. Initialize your app with `projectId` set directly in `AppOptions`:

firebase.initializeApp({
databaseURL: <my db url here>,
// Set your projectId directly here in options:
projectId: <your-projectId-here>
});

2. Or probably better to do this way by setting your credentials object properly:

firebase.initializeApp({
credentials: admin.credential.cert(<<path-to-your-certificate> || <admin.ServiceAccount object>>),
databaseURL: <my db url here>
});

3. Or, just host the app within the same project as your firebase app (now that they are part of the same ecosystem) so that the environment variables are the same. (Not actually 100% about this, but I'm assuming this is how firebase-functions a.k.a. cloud-functions works)

There's another case that can produce this frustrating error. If you have a query tool like Postman, Insomnia, GraphQL Playground (the culprit this time), etc. open, then those may be holding old Authentication Bearer tokens and making requests to your API, even when your authentication keys have been changed.

The simple solution here is to clear out all the requests that are currently authenticated with those Bearer tokens and reauthenticate.

This is particularly nasty with GraphQL Playground, because its rudimentary nature forces you to copy/paste your auth token into each query tab's headers, so if you don't close or modify each and every tab, you're still going to be getting this error spamming your API console.

I'd recommend [Insomnia](insomnia.rest) as the antidote to this, as with proper query chaining practices, you avoid this entirely. Further details: you can automatically pass the bearer token result from a user authentication query to any other query through one of Insomnia's environment variables.

As Thach Lockevn mentioned in the comments
The solution that worked for me was:


import { AngularFireAuth } from '@angular/fire/auth';
import { auth } from 'firebase/app';

this.angularFireAuth.signInWithPopup(new auth.GoogleAuthProvider()).then((googleAuth) => {
this.user = googleAuth.user;
googleAuth.user.getIdToken().then(tkn => {
this.token = tkn;
//send the token to the backend...
});
});

Your problem may be that you are trying to use the JWT token returned by one of the `auth()` functions like `firebaseRef.auth().signInWithPopup()`. These do return a JWT token, however the auth claims will likely be wrong and won't pass verification by `verifyIdToken`. Firebase tech support confirmed this.

You have to use the `firebaseRef.auth().currentUser.getToken()` function. That token will pass verification.

## Wrong Audience (wrong project GOOGLE conflict between projects FIX)
I was using a NetJS server inside a GKE cluster (created using account A) and I was trying to connect the admin SDK to an external Firebase app (created using account B).

> GKE was setting the credentials using an environment variable that was affecting the NextJS app

### Solution
I set the `GOOGLE_APPLICATION_CREDENTIALS` environment for the NextJS app (you can use a `.env` file.

### Conclusion
The Node variable has priority over the default auth app (Crazy!)

[To see links please register here]

**There is two types of auth ID Token**

1. Google-Based
2. Firebase Provide AuthIDToken

you need Firebase provided Token if you implement it with firebase authentication.

You will get the first Google id token and using that token you are getting credential which is used for authenticating firebase
,Here Provided

> idToken : google id token

AuthCredential credential = GoogleAuthProvider.getCredential(idToken, null)

You are login into firebase using

firebase.signInWithCredential(credential).addOnCompleteListener(this, task -> { ....})
in this call back you will get firebase id token

> ftoken : firebase id token

String ftoken = task.getResult().getUser().getIdToken(false).getResult().getToken()