Firebase beforeCreate not adding custom claims

Question

I am using Firebase Authentication with Identify Platform and am trying to add custom claims when a user is created. I am looking at this example from Google's website here: Setting custom and session claims:

exports.beforeCreate = functions.auth.user().beforeCreate((user, context) => {
  if (context.credential &&
      context.credential.providerId === 'saml.my-provider-id') {
    return {
      // Employee ID does not change so save in persistent claims (stored in
      // Auth DB).
      customClaims: {
        eid: context.credential.claims.employeeid,
      },
      // Copy role and groups to token claims. These will not be persisted.
      sessionClaims: {
        role: context.credential.claims.role,
        groups: context.credential.claims.groups,
      }
    }
  }
});

The code is straight forward. I am trying to add custom claims for all new users but they are not getting set. I am not sure how else to to try. This is my actual code:

exports.beforeUserCreate = functions.auth.user().beforeCreate((user, context) => {
  functions.logger.info('Attempting to set claims for new user', user);
  functions.logger.info('Here is the context', context);
  return {
    customClaims: {
      roles: ['user'],
    },
    sessionClaims: {
      roles: ['user'],
    },
  };
});

I do see the logs in the Google console, so I know my function is being called. I also tested the claims without the array like roles: 'TestRole', but that didn't work either. The user object just does not have the custom claims.

If I manually set the claims they do show up as expected:

{
    "roles": [
        "admin",
        "subscriber",
        "superadmin"
    ],
    "iss": "https://securetoken.google.com/...",
    "aud": "xxx",
    "auth_time": 1661813313,
    "user_id": "xxxx",
    "sub": "xxx",
    "iat": 1661813313,
    "exp": 1661816913,
    "email": "xxx",
    "email_verified": false,
    "firebase": {
        "identities": {
            "email": [
                "xx"
            ]
        },
        "sign_in_provider": "password"
    }
}

This is what the user object looks like when I try to create the claims automatically:

{
    "iss": "https://securetoken.google.com/...",
    "aud": "xxx",
    "auth_time": 1661813351,
    "user_id": "xxx",
    "sub": "xxx",
    "iat": 1661813351,
    "exp": 1661816951,
    "email": "xxx",
    "email_verified": false,
    "firebase": {
        "identities": {
            "email": [
                "xxx"
            ]
        },
        "sign_in_provider": "password"
    }
}

Also, I tried setting both customClaims and sessionClaims independently. Neither show up on the user object, nor are the custom claims saved for the user.

One more update. I tried setting the display name in beforeCreate and that worked.

  return {
    customClaims: {
      roles: 'pie',
    },
    displayName: 'pie',
  };

// RESULT:
{
    "name": "pie",
    "iss": "https://securetoken.google.com/...",
    "aud": "xxx",
    "auth_time": 1661816987,
    "user_id": "xxx",
    "sub": "xxx",
    "iat": 1661816987,
    "exp": 1661820587,
    "email": "xxx",
    "email_verified": false,
    "firebase": {
        "identities": {
            "email": [
                "xxx"
            ]
        },
        "sign_in_provider": "password"
    }
}

Answer 1

From Darwin in comments:

Hi @Gremash , there's an open github issue regarding that. See sessionClaims content not getting added to the decoded token. Also, there's a fix that has been recently merged regarding this issue.