Currently, Firestore and Cloud Storage security rules req.auth property will only validate and accept Google-signed ID tokens from Firebase Auth/Identity Platform.

This means that "user authentication rules" CANNOT be used if we rely on our own (or 3rd-party) authentication/token server.

Proposal:
Allow security rules to configure the token verification rules so that they can verify the token claims of a configured token authority. For example, tokens signed by a service account private key, or 3rd party auth server (aside from Firebase Auth/Identity Platform).