Allow using a different Service Account ID for custom token generation

Author: jeromegamez

src/Firebase/Auth/CustomTokenViaGoogleCredentials.php

@@ -24,7 +24,11 @@ final class CustomTokenViaGoogleCredentials
 
     private readonly Parser $parser;
 
-    public function __construct(private readonly SignBlobInterface $signer, private readonly ?string $tenantId = null)
+    public function __construct(
+        private readonly SignBlobInterface $signer,
+        private readonly ?string $tenantId = null,
+        private readonly ?string $serviceAccountIdForTokenGeneration = null,
+    )
     {
         $this->encoder = new JoseEncoder();
         $this->parser = new Parser($this->encoder);
@@ -43,10 +47,12 @@ public function createCustomToken($uid, array $claims = [], ?DateTimeInterface $
             ? DT::toUTCDateTimeImmutable($expiresAt)
             : $now->add(new DateInterval('PT1H'));
 
+        $issAndSub = $this->serviceAccountIdForTokenGeneration ?? $this->signer->getClientName();
+
         $header = ['typ' => 'JWT', 'alg' => 'RS256'];
         $payload = [
-            'iss' => $this->signer->getClientName(),
-            'sub' => $this->signer->getClientName(),
+            'iss' => $issAndSub,
+            'sub' => $issAndSub,
             'aud' => 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit',
             'iat' => $now->getTimestamp(),
             'exp' => $expiresAt->getTimestamp(),

src/Firebase/Factory.php

@@ -89,6 +89,11 @@ final class Factory
      */
     private ?array $serviceAccount = null;
 
+    /**
+     * @var non-empty-string|null
+     */
+    private ?string $serviceAccountIdForCustomTokenGeneration = null;
+
     private ?FetchAuthTokenInterface $googleAuthTokenCredentials = null;
 
     /**
@@ -170,6 +175,17 @@ public function withServiceAccount(string|array $value): self
         return $factory;
     }
 
+    /**
+     * @param non-empty-string $serviceAccountId
+     */
+    public function withServiceAccountIdForCustomTokenGeneration(string $serviceAccountId): self
+    {
+        $factory = clone $this;
+        $factory->serviceAccountIdForCustomTokenGeneration = $serviceAccountId;
+
+        return $factory;
+    }
+
     /**
      * @param non-empty-string $projectId
      */
@@ -666,7 +682,7 @@ private function createCustomTokenGenerator(): ?CustomTokenViaGoogleCredentials
         $credentials = $this->getGoogleAuthTokenCredentials();
 
         if ($credentials instanceof SignBlobInterface) {
-            return new CustomTokenViaGoogleCredentials($credentials, $this->tenantId);
+            return new CustomTokenViaGoogleCredentials($credentials, $this->tenantId, $this->serviceAccountIdForCustomTokenGeneration);
         }
 
         return null;