Menu
I have a firebase client(browser). I also have a backend server that I identify the user is signed in using the firebase token.
With following Firebase's docs Verify ID tokens using the Firebase Admin SDK, I am successfully using admin.auth().verifyIdToken(idToken) to verify the token on my node server.
However, one thing concerns me. I know that firebase uses a cert to verify the tokens. Does this mean that everytime I invoke admin.auth().verifyIdToken(idToken) a outgoing network request/network transaction is made from my node server? I am concerned because I would consider this expensive if so.
I tried to use tcpdump but traffic is to much and to cryptic to tell.
349
When users sign in to the app, send user credentials to the authentication server, which will check the credentials and send a custom token if they are valid. After we receive the custom token, pass it to firebase auth to sign in user. That's it!! Signing in a new user and authentication process with firebase is done.
When a user or device successfully signs in, Firebase creates a corresponding ID token that uniquely identifies them and grants them access to several resources, such as Firebase Realtime Database and Cloud Storage. You can re-use that ID token to identify the user or device on your custom backend server.
The Realtime Database REST API accepts standard Google OAuth2 access tokens.
I had a quick look at the Node.js implementation of verifyIdToken on Github.
As far as I can see the only roundtrip it does is to fetch the public keys for the certs, which it only does if they're expired. Most of the other work are parameter checks and of course the actual verification of the token.
So from what I can tell there should not be a 1:1 relation between the number of incoming verification requests and the number of outgoing network requests.
85
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
