Feature Request: Custom Token Creation

Thank you for the great work on building and maintaining this library 👍 

All Firebase Admin SDKs ([NodeJS](https://github.com/firebase/firebase-admin-node) / [Python](https://github.com/firebase/firebase-admin-python) / [Java](https://github.com/firebase/firebase-admin-java)) have a built-in method for creating / minting custom tokens (as documented [here](https://firebase.google.com/docs/auth/admin/create-custom-tokens) and [here](https://firebase.google.com/docs/auth/admin#custom_token_creation)).

Would you be open to supporting this feature to be on-par with other Admin SDKs?

### Use Case

> The primary use for creating custom tokens is to allow users to authenticate against an external or legacy authentication mechanism. This could be one you control, such as your LDAP server, or a third-party OAuth provider which Firebase does not natively support, such as Instagram or LinkedIn.

Ref. [Custom token creation](https://firebase.google.com/docs/auth/admin#custom_token_creation)

### Suggested Implementation

This is a suggestion for your consideration. Services would call either a `create_custom_token` or `create_custom_token_with_claims` helper to generate signed JWTs that clients can then [exchange](https://firebase.google.com/docs/auth/admin/create-custom-tokens#sign_in_using_custom_tokens_on_clients) for Firebase credentials.

### API

**`create_custom_token` / `create_custom_token_with_claims`**

Mints Firebase custom tokens (RS256 JWTs) via the IAM Credentials `signJwt` API.

Input validation would match other Firebase Admin SDKs:
- `uid` must be non-empty and ≤ 128 characters (Unicode-aware)
- `claims` must be a JSON object with no reserved JWT keys (`aud`, `exp`, `iat`, `iss`, `sub`, etc.)

The signing service account would be resolved in priority order:
1. Explicit. `app.auth_with_signer("sa@project.iam.gserviceaccount.com")`
2. Auto-discovered. Fetched from the GCE metadata server when running on Cloud Run / GCE / GKE.

### Comparison NodeJS SDK / Proposed Rust Implementation

#### Case 1. Auto-Discovered 

> NodeJS Admin SDK

```javascript
const app = admin.initializeApp({
  credential: admin.credential.applicationDefault(),
});

const token = await admin.auth(app).createCustomToken(uid);
```

> Suggested Rust SDK implementation

```rust
let app = App::live().await?;
let auth = app.auth();
let token = auth.create_custom_token(uid).await?;
```

#### Case 2. Explicit Signer

> NodeJS Admin SDK

```javascript
const app = admin.initializeApp({
  credential: admin.credential.applicationDefault(),
  serviceAccountId: "signer@project.iam.gserviceaccount.com",
});

const token = await admin.auth(app).createCustomToken(uid);
```

> The Rust SDK would map exactly to:

```rust
let app = App::live_with_project_id("project").await?;
let auth = app.auth_with_signer("signer@project.iam.gserviceaccount.com");
let token = auth.create_custom_token(uid).await?;
```

In a nutshell, `serviceAccountId` in Node.js = `auth_with_signer()` in the SDK.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Feature Request: Custom Token Creation #29

Use Case

Suggested Implementation

API

Comparison NodeJS SDK / Proposed Rust Implementation

Case 1. Auto-Discovered

Case 2. Explicit Signer

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Feature Request: Custom Token Creation #29

Description

Use Case

Suggested Implementation

API

Comparison NodeJS SDK / Proposed Rust Implementation

Case 1. Auto-Discovered

Case 2. Explicit Signer

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions