Add internal support for regionalized OIDC token exchange (BYO-CIAM) #14981
Conversation
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback. |
Generated by 🚫 Danger |
There was a problem hiding this comment.
Optional, but may be worth putting in a new directory to organize the regional-specific types.
- FirebaseAuth/Sources/Swift/Backend/RPC/ExchangeTokenRequest.swift
+ FirebaseAuth/Sources/Swift/Backend/RPC/Regionalization/ExchangeTokenRequest.swift
There was a problem hiding this comment.
@srushtisv This is a good idea. This will help us segregate the flows clearly in the code.
| let host = (location == "prod-global" || location == "global") ? baseHost : | ||
| "\(location)-\(baseHost)" | ||
|
|
||
| let locationPath = (location == "prod-global") ? "global" : location |
There was a problem hiding this comment.
nit: Alternatively we can just keep the allowed value for location as global instead of prod-global
| } | ||
| firebaseToken = token | ||
| /// Default to 1 hour (3600 seconds) if the field is missing. | ||
| expiresIn = dictionary["expiresIn"] as? TimeInterval ?? 3600 |
There was a problem hiding this comment.
Is this check required here?This is an optional field in the backend. By adding this, we are setting an arbitrary value when backend is behaving unexpectedly which is not right.
Similar to how token is throwing error when idToken is missing, we should do the same for expiresIn
There was a problem hiding this comment.
@srushtisv This is a good idea. This will help us segregate the flows clearly in the code.
Add request/response RPCs for regional OIDC token exchange feat(Auth)
Description
This PR introduces the internal request and response structures needed to support exchanging a third-party OIDC ID token for a Firebase ID token, specifically targeting the regionalized Google Cloud Identity Platform (R-GCIP) endpoints. This is a key part of the Bring Your Own CIAM (BYO-CIAM) feature.
Changes:
ExchangeTokenRequest.swift: New struct conforming toAuthRPCRequest.exchangeOidcTokenendpoint, dynamically including the region and tenant ID fromAuthRequestConfiguration.idTokenandidpConfigIDas parameters.location,tenantId, orprojectIDare missing in the configuration, as these are critical for this regionalized flow.ExchangeTokenResponse.swift: New struct conforming toAuthRPCResponse.idToken(asfirebaseToken) andexpiresInfields from the JSON response.expirationDate.This PR lays the internal groundwork for the new OIDC token exchange feature for regionalized tenants (R-GCIP).
To enable the Firebase Auth iOS SDK to communicate with the new regionalized
identityplatform.googleapis.comservice for exchanging tokens from external OIDC providers. This requires constructing specific URLs based on tenant and location, which these new structures handle.These are internal additions to the networking layer and do not change the public API surface themselves. They will be used by higher-level functions (to be added/updated in subsequent PRs) that will expose the OIDC token exchange functionality to developers.