Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Get id token on Android app and verify it on backend server (How to use id token?)

I'm developing an Android app that consumes data from my own REST API server. I want to use Firebase authentication because it allows the user to login using Google, Facebook, Twitter... in a very simple way.

But I'm not sure how to use ID tokens:

  • Because ID tokens have expiration date, should I call getToken method on every request in the client app, so I'm sure I'm sending a valid token every time?
  • Should I call verifyIdToken in the server each time I receive a request from the client app?

I don't know what these methods (getToken and verifyIdToken) do under the hood, and because they are asynchronous, I fear they are doing a request to Firebase servers on every call. So I think that making 2 request to Firebase servers in each of my requests is not the way to go...

like image 633
Sergio Viudes Avatar asked Jan 11 '17 18:01

Sergio Viudes


People also ask

How do I use an ID token?

To sign in or sign up a user with an ID token, send the token to your app's backend. On the backend, verify the token using either a Google API client library or a general-purpose JWT library. If the user hasn't signed in to your app with this Google Account before, create a new account.

How do I verify my Google ID token?

After you receive the ID token by HTTPS POST, you must verify the integrity of the token. To verify that the token is valid, ensure that the following criteria are satisfied: The ID token is properly signed by Google. Use Google's public keys (available in JWK or PEM format) to verify the token's signature.

How can I get token from ID?

To get an ID token, you need to request them when authenticating users. Auth0 makes it easy for your app to authenticate users using: Quickstarts: The easiest way to implement authentication, which can show you how to use Universal Login, the Lock widget, and Auth0's language and framework-specific SDKs.


1 Answers

Both getToken() and VerifyIdToken() are designed to be called for every outgoing/incoming request.

1) Although getToken() is asynchronous, the Firebase Android SDK actually caches the current Firebase user token in local storage. So long as the cached token is still valid (i.e. within one hour since issued), getToken() returns the token immediately. Only when the cached token expires does the SDK fetch a new token from remote Firebase server.

2) VerifyIdToken() is also optimized for performance. It caches the Firebase token public cert (valid for 6 hours) which is used to validate the token signature on local machine. No RPC is involved except for downloading the public cert.

like image 133
Jin Liu Avatar answered Sep 18 '22 17:09

Jin Liu