Unable to create session cookie for tenant users

[AndreaGiardini]

Hey everyone

I am setting up a python application and I would like to use firebase for authentication.
For normal users the login flows works fine, my problem comes when I start using tenants.

---

When a user authenticates to my app, it gets a token and then, after verification, the token is exchanged for a long-lived session cookie. As mentioned before, this works great for normal users.

I am using the exact code described in the docs here: https://firebase.google.com/docs/auth/admin/manage-cookies#create_session_cookie

When I authenticate users that are part of a tenant though, I can't find a way to convert their token into a session cookie.

I tried using session_cookie = auth.create_session_cookie(id_token, expires_in=expires_in, app=tenant_app) but I get always the same error message:

Error while calling Auth service (UNSUPPORTED_TENANT_OPERATION).

Am I missing something ? I am using the latest version of firebase-admin

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[AndreaGiardini]

I found this thread of ~1 year ago... Is that still the case?

https://groups.google.com/g/firebase-talk/c/ShtMjbxLWBI

---

When I try to simulate the request here:

https://cloud.google.com/identity-platform/docs/reference/rest/v1/projects.tenants/createSessionCookie

I get:

{
  "error": {
    "code": 400,
    "message": "UNSUPPORTED_TENANT_OPERATION",
    "errors": [
      {
        "message": "UNSUPPORTED_TENANT_OPERATION",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

[hiranya911]

It is now supported in the backend, but was never exposed in the Python SDK. We can accept a PR to add this capability if anybody can spend some time on it.

It is available in our Node.js SDK if you want to see how it's implemented.

[AndreaGiardini]

hey @hiranya911

Can you point me in the right direction? I've tried to call the API from firebase web interface but I got UNSUPPORTED_TENANT_OPERATION

[AndreaGiardini]

@hiranya911 Sorry to bother

I've tried different combinations from the web API Explorer but i always get the UNSUPPORTED_TENANT_OPERATION error.
Since i can't get the API call to succeed i am not sure how can I implement the function in code.

Can you please point me in the right direction?

[hiranya911]

Here's how it's implemented in Node.js: https://github.com/firebase/firebase-admin-node/blob/8610b943a91243ce0bd5ce984922ebba63fa3206/src/auth/auth.ts#L830-L845

It first verifies the ID token locally. Then makes a request to /projects/{projectId}/tenants/{tenantId}:createSessionCookie.

[AndreaGiardini]

Hey @hiranya911

I ran an experiment using this patch over here: AndreaGiardini@0e620ef

The method I am using is calling session_cookie = auth.create_session_cookie(id_token, expires_in=expires_in, tenant_id=dashboard.firebase_tenant_id) but I still get the same error. The request path and payload look good to me.

Traceback (most recent call last):
  File "/home/XXX/venv/lib/python3.8/site-packages/firebase_admin/_token_gen.py", line 239, in create_session_cookie
    body, http_resp = self.http_client.body_and_response('post', url, json=payload)
  File "/home/XXX/venv/lib/python3.8/site-packages/firebase_admin/_http_client.py", line 127, in body_and_response
    resp = self.request(method, url, **kwargs)
  File "/home/XXX/venv/lib/python3.8/site-packages/firebase_admin/_http_client.py", line 119, in request
    resp.raise_for_status()
  File "/home/XXX/venv/lib/python3.8/site-packages/requests/models.py", line 953, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://identitytoolkit.googleapis.com/v1/projects/$MYPROJECT/tenants/$MYTENANT:createSessionCookie

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/YYY/api/login.py", line 38, in session_login
    session_cookie = auth.create_session_cookie(id_token, expires_in=expires_in, tenant_id=dashboard.firebase_tenant_id)
  File "/home/XXX/venv/lib/python3.8/site-packages/firebase_admin/auth.py", line 243, in create_session_cookie
    return client._token_generator.create_session_cookie(id_token, expires_in, tenant_id=tenant_id)
  File "/home/XXX/venv/lib/python3.8/site-packages/firebase_admin/_token_gen.py", line 241, in create_session_cookie
    raise _auth_utils.handle_auth_backend_error(error)
firebase_admin.exceptions.InvalidArgumentError: Error while calling Auth service (UNSUPPORTED_TENANT_OPERATION).

As you can see from the stack trace, the right endpoint is called, but no matter how I do it, the result for me is always UNSUPPORTED_TENANT_OPERATION

Thank you for your help

[hiranya911]

@bojeil-google do you have any ideas? I can't seem to find any integration tests that exercise this route, so I cannot confirm that it works.

[bojeil-google]

Hey @hiranya911, I don't believe our backend supports tenant scoped session cookies.
We will eventually support them but if I recall correctly, we decided at that time that we would implement the client side changes (relying on the backend error) so that when the backend API works, it wouldn't require additional client side changes. I believe our documentation does not document support for session cookies.

[AndreaGiardini]

@bojeil-google thank you for the clarification, that makes sense.
Do you have an ETA for backend support for tenant-scoped session cookies? That would be pretty useful

[sww314]

I ran into this same issue:
The API indicates you need pass the tenant in:
https://cloud.google.com/identity-platform/docs/reference/rest/v1/projects/createSessionCookie

The code here does not include tenant_id in the payload:

firebase-admin-python/firebase_admin/_token_gen.py

Line 232 in ebf1bcd

}

Even if you update the library to pass in the template, the backend server still fails with

Error while calling Auth service (UNSUPPORTED_TENANT_OPERATION).

Here is the change, we used to test with:
https://github.com/huvrdata/firebase-admin-python/pull/1/files