[Feature Request] Support for ServiceAccountID in Custom Token Creation

[kmurata08]

Describe the feature you would like to see

Thank you for your continuous development and maintenance of the Firebase PHP Admin SDK.

Feature Request Description

I would like to request support for specifying a service account ID when creating custom tokens, similar to how it's implemented in other Firebase Admin SDKs.

Current Situation

Currently, the Firebase PHP Admin SDK only supports creating custom tokens using the service account credentials loaded during initialization. There's no way to specify a different service account ID for token signing.

Proposed Feature

Add support for specifying a service account ID when creating custom tokens. This would allow using a different service account for token signing than the one used to initialize the SDK.

The feature would be particularly useful when running in Google-managed environments where you want to maintain consistency across different parts of your application by using a specific service account for token signing, without needing to include service account JSON files in your code.

Example Implementation (in Go)

Here's how it works in the Go Admin SDK:

conf := &firebase.Config{
    ServiceAccountID: "[email protected]",
}
app, err := firebase.NewApp(context.Background(), conf)

Related Documentation

Using service account ID

Would love to hear your thoughts on this feature request. Thank you for considering it!

[jeromegamez]

The factory has a withProjectId() method, would that help? This way you could use the same service account with different projects, or two different service accounts for the same project, by instantiating two factories.

I hope I got this correctly - I'm currently on the road and can't look into it in detail, but if this isn't it, I will have a closer look once I can get back to my desk 🤞🏻

[kmurata08]

Thank you for your response. I understand you're busy, and there's no rush - please feel free to look into this whenever you have time.
I apologize if my understanding of withProjectId() is insufficient. Let me explain my use case in more detail:
What I'm trying to achieve is to issue an ID token signed by Project A while using Project B's service account credentials. Here's the issue I'm encountering with the current implementation:

1. Initialize Firebase Admin SDK with Project B's service account credentials
2. Set Project A using withProjectId()
3. Create custom token and exchange it for an ID token
4. The resulting ID token has Project B as its aud claim because it was signed using Project B's service account

When trying to verify this ID token in Project A, the verification fails because the token's aud claim is Project B, not Project A.
I believe that if we could specify a service account ID during SDK initialization (similar to other Firebase Admin SDKs), we could control which service account is used for signing custom tokens independently of the credentials used for SDK authentication, which would resolve this issue.
Does this help clarify my use case? Please let me know if you need any additional information.

[jeromegamez]

Thank you for the detailed explanation, I really appreciate it! I will look into it! Please keep in mind that I have to implement it in a way that doesn't break backwards compatibility - it might be no problem, but I'll have to check, so, thank you for your patience! 🙏🏻

[kmurata08]

Thank you for your quick response! I completely understand about the backwards compatibility concerns. Please take your time to review and implement it properly. I really appreciate you looking into this request! 🙏