Implement exchangeToken public api

Author: mansisampat

common/api-review/auth.api.md

@@ -364,6 +364,9 @@ export interface EmulatorConfig {
 
 export { ErrorFn }
 
+// @public (undocumented)
+export function exchangeToken(auth: Auth, idpConfigId: string, customToken: string): Promise<string>;
+
 // Warning: (ae-forgotten-export) The symbol "BaseOAuthProvider" needs to be exported by the entry point index.d.ts
 //
 // @public

docs-devsite/auth.md

@@ -28,6 +28,7 @@ Firebase Authentication
 |  [confirmPasswordReset(auth, oobCode, newPassword)](./auth.md#confirmpasswordreset_749dad8) | Completes the password reset process, given a confirmation code and new password. |
 |  [connectAuthEmulator(auth, url, options)](./auth.md#connectauthemulator_657c7e5) | Changes the [Auth](./auth.auth.md#auth_interface) instance to communicate with the Firebase Auth Emulator, instead of production Firebase Auth services. |
 |  [createUserWithEmailAndPassword(auth, email, password)](./auth.md#createuserwithemailandpassword_21ad33b) | Creates a new user account associated with the specified email address and password. |
+|  [exchangeToken(auth, idpConfigId, customToken)](./auth.md#exchangetoken_b6b1871) | Asynchronously exchanges an OIDC provider's Authorization code or Id Token for an OidcToken i.e. Outbound Access Token. |
 |  [fetchSignInMethodsForEmail(auth, email)](./auth.md#fetchsigninmethodsforemail_efb3887) | Gets the list of possible sign in methods for the given email address. This method returns an empty list when [Email Enumeration Protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection) is enabled, irrespective of the number of authentication methods available for the given email. |
 |  [getMultiFactorResolver(auth, error)](./auth.md#getmultifactorresolver_201ba61) | Provides a [MultiFactorResolver](./auth.multifactorresolver.md#multifactorresolver_interface) suitable for completion of a multi-factor flow. |
 |  [getRedirectResult(auth, resolver)](./auth.md#getredirectresult_c35dc1f) | Returns a [UserCredential](./auth.usercredential.md#usercredential_interface) from the redirect-based sign-in flow. |
@@ -405,6 +406,34 @@ export declare function createUserWithEmailAndPassword(auth: Auth, email: string
 
 Promise&lt;[UserCredential](./auth.usercredential.md#usercredential_interface)<!-- -->&gt;
 
+### exchangeToken(auth, idpConfigId, customToken) {:#exchangetoken_b6b1871}
+
+Asynchronously exchanges an OIDC provider's Authorization code or Id Token for an OidcToken i.e. Outbound Access Token.
+
+This method is imeplemented only for  and requires [TenantConfig](./auth.tenantconfig.md#tenantconfig_interface) to be configured in the [Auth](./auth.auth.md#auth_interface) instance used.
+
+Fails with an error if the token is invalid, expired, or not accepted by the Firebase Auth service.
+
+<b>Signature:</b>
+
+```typescript
+export declare function exchangeToken(auth: Auth, idpConfigId: string, customToken: string): Promise<string>;
+```
+
+#### Parameters
+
+|  Parameter | Type | Description |
+|  --- | --- | --- |
+|  auth | [Auth](./auth.auth.md#auth_interface) | The [Auth](./auth.auth.md#auth_interface) instance. |
+|  idpConfigId | string | The ExternalUserDirectoryId corresponding to the OIDC custom Token. |
+|  customToken | string | The OIDC provider's Authorization code or Id Token to exchange. |
+
+<b>Returns:</b>
+
+Promise&lt;string&gt;
+
+The firebase access token (JWT signed by Firebase Auth).
+
 ### fetchSignInMethodsForEmail(auth, email) {:#fetchsigninmethodsforemail_efb3887}
 
 Gets the list of possible sign in methods for the given email address. This method returns an empty list when [Email Enumeration Protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection) is enabled, irrespective of the number of authentication methods available for the given email.

packages/auth/src/api/authentication/exchange_token.test.ts

@@ -0,0 +1,101 @@
+/**
+ * @license
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { expect, use } from 'chai';
+import chaiAsPromised from 'chai-as-promised';
+
+import {
+  regionalTestAuth,
+  testAuth,
+  TestAuth
+} from '../../../test/helpers/mock_auth';
+import * as mockFetch from '../../../test/helpers/mock_fetch';
+import { mockRegionalEndpointWithParent } from '../../../test/helpers/api/helper';
+import { exchangeToken } from './exchange_token';
+import { HttpHeader, RegionalEndpoint } from '..';
+import { FirebaseError } from '@firebase/util';
+import { ServerError } from '../errors';
+
+use(chaiAsPromised);
+
+describe('api/authentication/exchange_token', () => {
+  let auth: TestAuth;
+  let regionalAuth: TestAuth;
+  const request = {
+    parent: 'test-parent',
+    token: 'custom-token'
+  };
+
+  beforeEach(async () => {
+    auth = await testAuth();
+    regionalAuth = await regionalTestAuth();
+    mockFetch.setUp();
+  });
+
+  afterEach(mockFetch.tearDown);
+
+  it('returns accesss token for Regional Auth', async () => {
+    const mock = mockRegionalEndpointWithParent(
+      RegionalEndpoint.EXCHANGE_TOKEN,
+      'test-parent',
+      { accessToken: 'outbound-token' }
+    );
+
+    const response = await exchangeToken(regionalAuth, request);
+    expect(response.accessToken).equal('outbound-token');
+    expect(mock.calls[0].request).to.eql({
+      parent: 'test-parent',
+      token: 'custom-token'
+    });
+    expect(mock.calls[0].method).to.eq('POST');
+    expect(mock.calls[0].headers!.get(HttpHeader.CONTENT_TYPE)).to.eq(
+      'application/json'
+    );
+  });
+
+  it('throws exception for default Auth', async () => {
+    await expect(exchangeToken(auth, request)).to.be.rejectedWith(
+      FirebaseError,
+      'Firebase: Operations not allowed for the auth object initialized. (auth/operation-not-allowed).'
+    );
+  });
+
+  it('should handle errors', async () => {
+    const mock = mockRegionalEndpointWithParent(
+      RegionalEndpoint.EXCHANGE_TOKEN,
+      'test-parent',
+      {
+        error: {
+          code: 400,
+          message: ServerError.INVALID_CUSTOM_TOKEN,
+          errors: [
+            {
+              message: ServerError.INVALID_CUSTOM_TOKEN
+            }
+          ]
+        }
+      },
+      400
+    );
+
+    await expect(exchangeToken(regionalAuth, request)).to.be.rejectedWith(
+      FirebaseError,
+      '(auth/invalid-custom-token).'
+    );
+    expect(mock.calls[0].request).to.eql(request);
+  });
+});

packages/auth/src/api/authentication/exchange_token.ts

@@ -0,0 +1,45 @@
+/**
+ * @license
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import {
+  RegionalEndpoint,
+  HttpMethod,
+  _performRegionalApiRequest
+} from '../index';
+import { Auth } from '../../model/public_types';
+
+export interface ExchangeTokenRequest {
+  parent: string;
+  token: string;
+}
+
+export interface ExchangeTokenRespose {
+  accessToken: string;
+}
+
+export async function exchangeToken(
+  auth: Auth,
+  request: ExchangeTokenRequest
+): Promise<ExchangeTokenRespose> {
+  return _performRegionalApiRequest<ExchangeTokenRequest, ExchangeTokenRespose>(
+    auth,
+    HttpMethod.POST,
+    RegionalEndpoint.EXCHANGE_TOKEN,
+    request,
+    {},
+    request.parent
+  );
+}

packages/auth/src/api/index.test.ts

@@ -36,6 +36,7 @@ import { ConfigInternal } from '../model/auth';
 import {
   _getFinalTarget,
   _performApiRequest,
+  _performRegionalApiRequest,
   DEFAULT_API_TIMEOUT_MS,
   Endpoint,
   RegionalEndpoint,
@@ -606,7 +607,7 @@ describe('api/_performApiRequest', () => {
   context('throws Operation not allowed exception', () => {
     it('when tenantConfig is not initialized and Regional Endpoint is used', async () => {
       await expect(
-        _performApiRequest<typeof request, typeof serverResponse>(
+        _performRegionalApiRequest<typeof request, typeof serverResponse>(
           auth,
           HttpMethod.POST,
           RegionalEndpoint.EXCHANGE_TOKEN,

packages/auth/src/api/index.ts

@@ -54,7 +54,7 @@ export const enum HttpHeader {
   X_FIREBASE_APP_CHECK = 'X-Firebase-AppCheck'
 }
 
-export enum Endpoint {
+export const enum Endpoint {
   CREATE_AUTH_URI = '/v1/accounts:createAuthUri',
   DELETE_ACCOUNT = '/v1/accounts:delete',
   RESET_PASSWORD = '/v1/accounts:resetPassword',
@@ -81,8 +81,11 @@ export enum Endpoint {
   REVOKE_TOKEN = '/v2/accounts:revokeToken'
 }
 
-export enum RegionalEndpoint {
-  EXCHANGE_TOKEN = 'v2/${body.parent}:exchangeOidcToken'
+export const EXCHANGE_TOKEN_PARENT =
+  'projects/${projectId}/locations/${location}/tenants/${tenantId}/idpConfigs/${idpConfigId}';
+
+export const enum RegionalEndpoint {
+  EXCHANGE_TOKEN = ':exchangeOidcToken'
 }
 
 const CookieAuthProxiedEndpoints: string[] = [
@@ -141,14 +144,17 @@ export function _addTidIfNecessary<T extends { tenantId?: string }>(
   return request;
 }
 
-export async function _performApiRequest<T, V>(
+function isRegionalAuthInitialized(auth: Auth): boolean {
+  return !!auth.tenantConfig;
+}
+
+async function performApiRequest<T, V>(
   auth: Auth,
   method: HttpMethod,
-  path: Endpoint | RegionalEndpoint,
+  path: string,
   request?: T,
   customErrorMap: Partial<ServerErrorMap<ServerError>> = {}
 ): Promise<V> {
-  _assertValidEndpointForAuth(auth, path);
   return _performFetchWithErrorHandling(auth, customErrorMap, async () => {
     let body = {};
     let params = {};
@@ -162,10 +168,17 @@ export async function _performApiRequest<T, V>(
       }
     }
 
-    const query = querystring({
-      key: auth.config.apiKey,
-      ...params
-    }).slice(1);
+    let queryParamString: string;
+    if (isRegionalAuthInitialized(auth)) {
+      queryParamString = querystring({
+        ...params
+      }).slice(1);
+    } else {
+      queryParamString = querystring({
+        key: auth.config.apiKey,
+        ...params
+      }).slice(1);
+    }
 
     const headers = await (auth as AuthInternal)._getAdditionalHeaders();
     headers[HttpHeader.CONTENT_TYPE] = 'application/json';
@@ -193,12 +206,45 @@ export async function _performApiRequest<T, V>(
     }
 
     return FetchProvider.fetch()(
-      await _getFinalTarget(auth, auth.config.apiHost, path, query),
+      await _getFinalTarget(auth, auth.config.apiHost, path, queryParamString),
       fetchArgs
     );
   });
 }
 
+export async function _performRegionalApiRequest<T, V>(
+  auth: Auth,
+  method: HttpMethod,
+  path: RegionalEndpoint,
+  request?: T,
+  customErrorMap: Partial<ServerErrorMap<ServerError>> = {},
+  parent?: string
+): Promise<V> {
+  if (!isRegionalAuthInitialized(auth)) {
+    throw _operationNotSupportedForInitializedAuthInstance(auth);
+  }
+  return performApiRequest(
+    auth,
+    method,
+    `${parent}${path}`,
+    request,
+    customErrorMap
+  );
+}
+
+export async function _performApiRequest<T, V>(
+  auth: Auth,
+  method: HttpMethod,
+  path: Endpoint,
+  request?: T,
+  customErrorMap: Partial<ServerErrorMap<ServerError>> = {}
+): Promise<V> {
+  if (isRegionalAuthInitialized(auth)) {
+    throw _operationNotSupportedForInitializedAuthInstance(auth);
+  }
+  return performApiRequest(auth, method, `${path}`, request, customErrorMap);
+}
+
 export async function _performFetchWithErrorHandling<V>(
   auth: Auth,
   customErrorMap: Partial<ServerErrorMap<ServerError>>,
@@ -287,9 +333,9 @@ export async function _getFinalTarget(
   auth: Auth,
   host: string,
   path: string,
-  query: string
+  query?: string
 ): Promise<string> {
-  const base = `${host}${path}?${query}`;
+  const base = query ? `${host}${path}?${query}` : `${host}${path}`;
 
   const authInternal = auth as AuthInternal;
   const finalTarget = authInternal.config.emulator
@@ -328,22 +374,6 @@ export function _parseEnforcementState(
   }
 }
 
-function _assertValidEndpointForAuth(
-  auth: Auth,
-  path: Endpoint | RegionalEndpoint
-): void {
-  if (
-    !auth.tenantConfig &&
-    Object.values(RegionalEndpoint).includes(path as RegionalEndpoint)
-  ) {
-    throw _operationNotSupportedForInitializedAuthInstance(auth);
-  }
-
-  if (auth.tenantConfig && Object.values(Endpoint).includes(path as Endpoint)) {
-    throw _operationNotSupportedForInitializedAuthInstance(auth);
-  }
-}
-
 class NetworkTimeout<T> {
   // Node timers and browser timers are fundamentally incompatible, but we
   // don't care about the value here

packages/auth/src/core/auth/auth_impl.ts

@@ -93,7 +93,7 @@ export const enum DefaultConfig {
   TOKEN_API_HOST = 'securetoken.googleapis.com',
   API_HOST = 'identitytoolkit.googleapis.com',
   API_SCHEME = 'https',
-  REGIONAL_API_HOST = 'identityplatform.googleapis.com'
+  REGIONAL_API_HOST = 'identityplatform.googleapis.com/v2alpha/'
 }
 
 export class AuthImpl implements AuthInternal, _FirebaseService {

packages/auth/src/core/index.ts

@@ -315,6 +315,7 @@ export {
   sendEmailVerification,
   verifyBeforeUpdateEmail
 } from './strategies/email';
+export { exchangeToken } from './strategies/exhange_token';
 
 // core
 export { ActionCodeURL, parseActionCodeURL } from './action_code_url';