fix(auth): Support for verifying tenant ID tokens in FirebaseAuth

FirebaseAdmin/FirebaseAdmin.IntegrationTests/Auth/TenantAwareFirebaseAuthTest.cs

@@ -13,6 +13,7 @@
 // limitations under the License.
 
 using System;
+using System.Threading.Tasks;
 using FirebaseAdmin.Auth;
 using FirebaseAdmin.Auth.Multitenancy;
 using Xunit;
@@ -32,6 +33,30 @@ public void TenantId()
             Assert.NotEmpty(this.Auth.TenantId);
         }
 
+        [Fact]
+        public async Task VerifyIdTokenWithTenant()
+        {
+            var customToken = await this.Auth.CreateCustomTokenAsync("testuser");
+            var idToken = await AuthIntegrationUtils.SignInWithCustomTokenAsync(
+                customToken, this.Auth.TenantId);
+
+            // Verifies in FirebaseAuth
+            var decoded = await FirebaseAuth.DefaultInstance.VerifyIdTokenAsync(idToken);
+            Assert.Equal(this.Auth.TenantId, decoded.TenantId);
+
+            // Verifies in TenantAwareFirebaseAuth(matching-tenant)
+            decoded = await this.Auth.VerifyIdTokenAsync(idToken);
+            Assert.Equal(this.Auth.TenantId, decoded.TenantId);
+
+            // Does not verify in TenantAwareFirebaseAuth(other-tenant)
+            var otherTenantAuth = FirebaseAuth.DefaultInstance.TenantManager
+                .AuthForTenant("other-tenant");
+            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
+                () => otherTenantAuth.VerifyIdTokenAsync(idToken));
+
+            Assert.Equal(AuthErrorCode.TenantIdMismatch, exception.AuthErrorCode);
+        }
+
         public class Fixture : AbstractAuthFixture<TenantAwareFirebaseAuth>, IDisposable
         {
             private readonly TenantFixture tenant;

FirebaseAdmin/FirebaseAdmin.Tests/Auth/Jwt/IdTokenVerificationTest.cs

@@ -419,10 +419,23 @@ await Assert.ThrowsAnyAsync<OperationCanceledException>(
                 () => auth.VerifyIdTokenAsync(idToken, canceller.Token));
         }
 
-        [Theory]
-        [MemberData(nameof(TestConfigs))]
-        public async Task TenantIdMismatch(TestConfig config)
+        [Fact]
+        public async Task TenantId()
+        {
+            var tenantConfig = TestConfig.ForTenantAwareFirebaseAuth("test-tenant");
+            var idTokenWithTenant = await tenantConfig.CreateIdTokenAsync();
+            FirebaseAuth auth = (FirebaseAuth)TestConfig.ForFirebaseAuth().CreateAuth();
+
+            var decoded = await auth.VerifyIdTokenAsync(idTokenWithTenant);
+
+            tenantConfig.AssertFirebaseToken(decoded);
+            Assert.Equal("test-tenant", decoded.TenantId);
+        }
+
+        [Fact]
+        public async Task TenantIdMismatch()
         {
+            var config = TestConfig.ForTenantAwareFirebaseAuth("test-tenant");
             var payload = new Dictionary<string, object>()
             {
                 {

FirebaseAdmin/FirebaseAdmin.Tests/Auth/Jwt/SessionCookieVerificationTest.cs

@@ -383,29 +383,6 @@ public async Task CheckRevokedError(TestConfig config)
             JwtTestUtils.AssertRevocationCheckRequest(null, handler.Requests[0].Url);
         }
 
-        [Theory]
-        [MemberData(nameof(TestConfigs))]
-        public async Task TenantIdMismatch(TestConfig config)
-        {
-            var payload = new Dictionary<string, object>()
-            {
-                {
-                    "firebase", new Dictionary<string, object>
-                    {
-                        { "tenant", "other-tenant" },
-                    }
-                },
-            };
-            var idToken = await config.CreateSessionCookieAsync(payloadOverrides: payload);
-            var auth = config.CreateAuth();
-
-            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
-                async () => await auth.VerifySessionCookieAsync(idToken));
-
-            var expectedMessage = "Firebase session cookie has incorrect tenant ID.";
-            this.CheckException(exception, expectedMessage, AuthErrorCode.TenantIdMismatch);
-        }
-
         private void CheckException(
             FirebaseAuthException exception,
             string prefix,

FirebaseAdmin/FirebaseAdmin/Auth/Jwt/FirebaseTokenVerifier.cs

@@ -238,7 +238,7 @@ internal async Task<FirebaseToken> VerifyTokenAsync(
             {
                 error = $"Firebase {this.shortName} has a subject claim longer than 128 characters.";
             }
-            else if (this.TenantId != payload.Firebase?.Tenant)
+            else if (this.TenantId != null && this.TenantId != payload.Firebase?.Tenant)
             {
                 error = $"Firebase {this.shortName} has incorrect tenant ID. Expected "
                     + $"{this.TenantId} but got {payload.Firebase?.Tenant}";