fix: Using alg=none header for custom tokens in emulator mode

firebase_admin/_token_gen.py

@@ -53,6 +53,8 @@
 ])
 METADATA_SERVICE_URL = ('http://metadata.google.internal/computeMetadata/v1/instance/'
                         'service-accounts/default/email')
+ALGORITHM_RS256 = 'RS256'
+ALGORITHM_NONE = 'none'
 
 # Emulator fake account
 AUTH_EMULATOR_EMAIL = 'firebase-auth-emulator@example.com'
@@ -71,9 +73,10 @@ def sign(self, message):
 class _SigningProvider:
     """Stores a reference to a google.auth.crypto.Signer."""
 
-    def __init__(self, signer, signer_email):
+    def __init__(self, signer, signer_email, alg=ALGORITHM_RS256):
         self._signer = signer
         self._signer_email = signer_email
+        self._alg = alg
 
     @property
     def signer(self):
@@ -83,6 +86,10 @@ def signer(self):
     def signer_email(self):
         return self._signer_email
 
+    @property
+    def alg(self):
+        return self._alg
+
     @classmethod
     def from_credential(cls, google_cred):
         return _SigningProvider(google_cred.signer, google_cred.signer_email)
@@ -94,7 +101,7 @@ def from_iam(cls, request, google_cred, service_account):
 
     @classmethod
     def for_emulator(cls):
-        return _SigningProvider(_EmulatedSigner(), AUTH_EMULATOR_EMAIL)
+        return _SigningProvider(_EmulatedSigner(), AUTH_EMULATOR_EMAIL, ALGORITHM_NONE)
 
 
 class TokenGenerator:
@@ -190,8 +197,10 @@ def create_custom_token(self, uid, developer_claims=None, tenant_id=None):
 
         if developer_claims is not None:
             payload['claims'] = developer_claims
+
+        header = {'alg': signing_provider.alg}
         try:
-            return jwt.encode(signing_provider.signer, payload)
+            return jwt.encode(signing_provider.signer, payload, header=header)
         except google.auth.exceptions.TransportError as error:
             msg = 'Failed to sign custom token. {0}'.format(error)
             raise TokenSignError(msg, error)

tests/test_token_gen.py

@@ -75,17 +75,24 @@ def _merge_jwt_claims(defaults, overrides):
             del defaults[key]
     return defaults
 
+
 def verify_custom_token(custom_token, expected_claims, tenant_id=None):
     assert isinstance(custom_token, bytes)
     expected_email = MOCK_SERVICE_ACCOUNT_EMAIL
+    header = jwt.decode_header(custom_token)
+    assert header.get('typ') == 'JWT'
     if _is_emulated():
+        assert header.get('alg') == 'none'
+        assert custom_token.split(b'.')[2] == b''
         expected_email = _token_gen.AUTH_EMULATOR_EMAIL
         token = jwt.decode(custom_token, verify=False)
     else:
+        assert header.get('alg') == 'RS256'
         token = google.oauth2.id_token.verify_token(
             custom_token,
             testutils.MockRequest(200, MOCK_PUBLIC_CERTS),
             _token_gen.FIREBASE_AUDIENCE)
+
     assert token['uid'] == MOCK_UID
     assert token['iss'] == expected_email
     assert token['sub'] == expected_email
@@ -94,9 +101,6 @@ def verify_custom_token(custom_token, expected_claims, tenant_id=None):
     else:
         assert token['tenant_id'] == tenant_id
 
-    header = jwt.decode_header(custom_token)
-    assert header.get('typ') == 'JWT'
-    assert header.get('alg') == 'RS256'
     if expected_claims:
         for key, value in expected_claims.items():
             assert value == token['claims'][key]