Auth Blocking Functions (v2) fail with "incorrect aud claim" on initial deployment

[mashijp]

[REQUIRED] Environment info

firebase-tools: 15.7.0

Platform: macOS (reproduced), likely all platforms

[REQUIRED] Test case

// functions/index.ts
import { beforeUserSignedIn } from "firebase-functions/v2/identity";

export const beforeSignIn = beforeUserSignedIn(
  { region: "asia-northeast1" },
  (event) => {
    // any handler
  }
);

[REQUIRED] Steps to reproduce

  1. Create a v2 Auth Blocking Function using beforeUserSignedIn (as above)
  2. Run firebase deploy --only functions for the first time (create operation)
  3. Attempt to sign in to the Firebase project

[REQUIRED] Expected behavior

Sign-in succeeds. The Auth Blocking Function is registered with the .run.app URL in Identity Platform, which matches the audience expected by firebase-functions.

[REQUIRED] Actual behavior

Sign-in fails with the following error:

Firebase Auth Blocking token has incorrect "aud" (audience) claim.
Expected "run.app" but got "https://asia-northeast1-<project>.cloudfunctions.net/beforeSignIn".

The function deploys successfully but fails at runtime on the first deployment. On subsequent deployments (update operations), sign-in works correctly. The issue only affects the initial deployment.

FIX

#9922

[aalej]

Thanks for the detailed report and for opening up a PR for this @mashijp, I appreciate this! I was able to reproduce the error. Let me raise this to our engineering team.

Sharing the mcve here - https://github.com/aalej/issues-9997

[inlined]

When did you experience the breakage here? cloudfunctions.net URLs were always supported before. In fact, I had to hack in the serverside codebase to make run.app URLs work at the original announcement for Firebase Functions v2 because they didn't have cloudfunctions.net URLs. It may be best to see if the Auth backend changed rather than changing the CLI (esp since that won't fix 1st gen functions)

[inlined]

@aalej We have v1 support. Do those break too?

[mashijp]

@inlined
I'm not sure exactly when this started -- I only recently began using Auth Blocking Functions, so I can't pinpoint the version.

For more context, please see the PR description (#9922), but here's my take:

• You're right that this could be seen as a firebase-functions issue — the SDK explicitly expects run.app for v2 functions, so the two implementations are currently out of sync.
• That said, the firebase-tools behavior is problematic regardless: create and update are inconsistent. The function fails on initial deployment but works after redeployment. PR Print cloudfunctions.net URL instead of run.app URL for 2nd Gen function #7887 only patched the create path while leaving update unchanged -- I believe reverting is the safest path forward for now.

[inlined]

That patch will help you but not all other users. firebase-functions/v1/auth also supports blocking functions and those don't have a run.app URL. I'm in touch with the auth team. A server-side change may have started sending OIDC tokens to authorize the call to the function and hard-coded v2 function URLs. That should be fixed.

[aalej]

@inlined v1 functions seems to be working as intended. On initial deployments(function creation), the auth blocking function automatically gets linked in the Auth Console

functions code

// functions/index.ts
import * as functions from "firebase-functions/v1";

export const beforeSignIn = functions.auth
  .user()
  .beforeSignIn((user, context) => {
    console.log("beforeSignIn", user);
  });

[inlined]

Ah, I had an idea. Perhaps the infrastructure that accepts cloudfunctions.net URLs and redirects them to run.app URLs is disjointed from the infrastructure that does the OIDC AuthN check. I'll dig into it and/or change the URL that's used in registration rather than the one that is printed.

[inlined]

I've finally found the issue! Cloud Functions 2nd generation isn't correctly setting the cloudfunctions.net URL as a custom audience on the Run service (how).

I'm talking to the team to see if this fix can be done in a reasonable timeframe. After that we can fix the terminal bug in the other direction so that the printed URL is the cloudfunctions.net URL always.

[mashijp]

Thanks for the update!
I couldn’t figure out a way to fix this on my side, so I really appreciate your help.
Looking forward to the fix.

[inlined]

I'm not even sure that is it 😕 Will keep looking

FWIW, since there's an easy workaround I'm treating the auth blocking function registration failure as P1. I'm trying to solve the actual networking layer issue because this seems like it could be a more pernicious issue that's going to affect many products.