Hi there, I am having some issues using the firebase_admin python client with a credential object from outside the SDK.

In my use case, I want to initialize the firebase_admin SDK using a Service Account impersonation credential to list users within the firebase environment.

To do this I tried the following:

import google.oauth2.credentials
import google.auth.impersonated_credentials

source_credentials = google.oauth2.credentials.Credentials(token=id_token)
credentials = google.auth.impersonated_credentials.Credentials(
    source_credentials=source_credentials,
    target_principal=my_service_account_email,
    target_scopes=target_scopes,
    lifetime=500
)

app_options = {'projectId': project_id}
firebase_app = firebase_admin.initialize_app(
  credential=firebase_credential, options=app_options)

When running initialize_app it returns an exception - Illegal Firebase credential provided. App must be initialized with a valid credential instance.

Looking into the firebase-admin-python source code I was able to find the source of the problem. In firebase_admin/__init__.py line 209 the code checks whether the supplied credentials object is an instance of firebase_admin.credentials.Base. If not, then the SDK returns the exception.

I don't understand why this is the case. Why does firebase-admin-python have its own credentials class which seems to just wrap google.oauth2.credentials objects? Why wouldn't the Firebase SDK accept a google.oauth2.credentials object directly?

I was able to work around it by hacking the ApplicationDefault class that comes with the firebase-admin-python SDK, however this seems a bit backwards.

firebase_credential = firebase_admin.credentials.ApplicationDefault()
firebase_credential._g_credential = credentials
firebase_credential._project_id = SOURCE_PROJECT

In my opinion it would be better if the firebase SDK just made use of the google.auth module which has a much better implementation.