From e455da8710a0dc74309ab9b947473915ef4c17f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Gamez?= <jerome@gamez.name>
Date: Mon, 6 Jan 2025 14:43:51 +0100
Subject: [PATCH] Allow using a different Service Account ID for custom token
 generation

---
 .../Auth/CustomTokenViaGoogleCredentials.php   | 12 +++++++++---
 src/Firebase/Factory.php                       | 18 +++++++++++++++++-
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/src/Firebase/Auth/CustomTokenViaGoogleCredentials.php b/src/Firebase/Auth/CustomTokenViaGoogleCredentials.php
index 23d23f7ac..e11f028e6 100644
--- a/src/Firebase/Auth/CustomTokenViaGoogleCredentials.php
+++ b/src/Firebase/Auth/CustomTokenViaGoogleCredentials.php
@@ -24,7 +24,11 @@ final class CustomTokenViaGoogleCredentials
 
     private readonly Parser $parser;
 
-    public function __construct(private readonly SignBlobInterface $signer, private readonly ?string $tenantId = null)
+    public function __construct(
+        private readonly SignBlobInterface $signer,
+        private readonly ?string $tenantId = null,
+        private readonly ?string $serviceAccountIdForTokenGeneration = null,
+    )
     {
         $this->encoder = new JoseEncoder();
         $this->parser = new Parser($this->encoder);
@@ -43,10 +47,12 @@ public function createCustomToken($uid, array $claims = [], ?DateTimeInterface $
             ? DT::toUTCDateTimeImmutable($expiresAt)
             : $now->add(new DateInterval('PT1H'));
 
+        $issAndSub = $this->serviceAccountIdForTokenGeneration ?? $this->signer->getClientName();
+
         $header = ['typ' => 'JWT', 'alg' => 'RS256'];
         $payload = [
-            'iss' => $this->signer->getClientName(),
-            'sub' => $this->signer->getClientName(),
+            'iss' => $issAndSub,
+            'sub' => $issAndSub,
             'aud' => 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit',
             'iat' => $now->getTimestamp(),
             'exp' => $expiresAt->getTimestamp(),
diff --git a/src/Firebase/Factory.php b/src/Firebase/Factory.php
index 3e5a41fcf..b70bc5d68 100644
--- a/src/Firebase/Factory.php
+++ b/src/Firebase/Factory.php
@@ -83,6 +83,11 @@ final class Factory
 
     private ?ServiceAccount $serviceAccount = null;
 
+    /**
+     * @var non-empty-string|null
+     */
+    private ?string $serviceAccountIdForCustomTokenGeneration = null;
+
     private ?FetchAuthTokenInterface $googleAuthTokenCredentials = null;
 
     /**
@@ -164,6 +169,17 @@ public function withServiceAccount(string|array $value): self
         return $factory;
     }
 
+    /**
+     * @param non-empty-string $serviceAccountId
+     */
+    public function withServiceAccountIdForCustomTokenGeneration(string $serviceAccountId): self
+    {
+        $factory = clone $this;
+        $factory->serviceAccountIdForCustomTokenGeneration = $serviceAccountId;
+
+        return $factory;
+    }
+
     /**
      * @param non-empty-string $projectId
      */
@@ -685,7 +701,7 @@ private function createCustomTokenGenerator(): ?CustomTokenViaGoogleCredentials
         $credentials = $this->getGoogleAuthTokenCredentials();
 
         if ($credentials instanceof SignBlobInterface) {
-            return new CustomTokenViaGoogleCredentials($credentials, $this->tenantId);
+            return new CustomTokenViaGoogleCredentials($credentials, $this->tenantId, $this->serviceAccountIdForCustomTokenGeneration);
         }
 
         return null;