Summary
Implement Identity Platform / Firebase Auth — token mint/verify and user CRUD. Core to auth flows in tests. The Firebase Auth Emulator is the behavioral reference.
Protocol / transport
REST — Google Identity Toolkit API (identitytoolkit.googleapis.com, accounts:* endpoints). Note: this API is Discovery/REST-based — there is no googleapis proto; match the Firebase Auth Emulator's wire behavior.
Endpoint / auth bypass
FIREBASE_AUTH_EMULATOR_HOST.
Authoritative reference
- Identity Toolkit REST Discovery document
- Behavior reference: the Firebase Local Emulator Suite (Auth)
- SDK:
firebase-admin (Java), Identity Platform client SDKs
Scope (MVP)
accounts:signUp, accounts:signInWithPassword, accounts:signInWithCustomToken
accounts:lookup, accounts:update, accounts:delete, getAccountInfo
- Issue + verify ID tokens (emulator-style unsigned JWT)
Parity notes
- The Firebase emulator issues unsigned JWTs (the Admin SDK skips signature checks in emulator mode). Match that token shape/claims so
firebase-admin token verification passes against floci-gcp.
- Persist users keyed by project; support email/password + custom-token flows first.
Test plan
firebase-admin pointed at FIREBASE_AUTH_EMULATOR_HOST: create user, sign in, verify the returned ID token, update + delete user.
Implementation guidance: Follow the google-parity workflow — read the authoritative proto/SDK under local/google/* before implementing, mirror the wire shape exactly, and validate with GCP SDK-based compatibility tests (compatibility-tests/sdk-test-java). See AGENTS.md → "Adding a New GCP Service". Keep storage namespaced by project ID via StorageFactory.
Upstream references (mirrored locally under local/google/*):
Summary
Implement Identity Platform / Firebase Auth — token mint/verify and user CRUD. Core to auth flows in tests. The Firebase Auth Emulator is the behavioral reference.
Protocol / transport
REST — Google Identity Toolkit API (
identitytoolkit.googleapis.com,accounts:*endpoints). Note: this API is Discovery/REST-based — there is no googleapis proto; match the Firebase Auth Emulator's wire behavior.Endpoint / auth bypass
FIREBASE_AUTH_EMULATOR_HOST.Authoritative reference
firebase-admin(Java), Identity Platform client SDKsScope (MVP)
accounts:signUp,accounts:signInWithPassword,accounts:signInWithCustomTokenaccounts:lookup,accounts:update,accounts:delete,getAccountInfoParity notes
firebase-admintoken verification passes against floci-gcp.Test plan
firebase-adminpointed atFIREBASE_AUTH_EMULATOR_HOST: create user, sign in, verify the returned ID token, update + delete user.Implementation guidance: Follow the
google-parityworkflow — read the authoritative proto/SDK underlocal/google/*before implementing, mirror the wire shape exactly, and validate with GCP SDK-based compatibility tests (compatibility-tests/sdk-test-java). SeeAGENTS.md→ "Adding a New GCP Service". Keep storage namespaced by project ID viaStorageFactory.Upstream references (mirrored locally under
local/google/*):