Browser Client - Uses Firebase to sign in and has the firebase userid, token in the local storage.
{
"typ": "JWT",
"alg": "HS256"
}
{
"v": 0,
"d": {
"provider": "password",
"uid": "xxxxd757-5f7f-xx0c-adb1-xxe8ce77d3a0"
},
"iat": 1460560833
}
When the browser calls the server - a REST API end point , the token is passed as a Request header.
Now, the server is configured with a Firebase Secret.
My question: is it possible to validate the firebase issued token at the server side? the server is not used for authentication (the user name /pass validation is done via firebase api from browser).
I suggest this library: https://github.com/auth0/java-jwt
Open source project with very concise API from security focused company.
Thanks luboskrnac and Mark B. I tried out both Java-jwt and jjwt libraries and used jjwt in my code.
@Test
public void tokenValidateTest() {
String token = "exX0xXAi0iJKV1QiLCJhbGciOiJIUzI1NiJ9.eyXK2IjxxxJkIjp7InByb3ZpZGVyIjoicGFzc3dvcmQiLCJ1aWQiOiI5NDA2ZDc1Ny01ZjdmLTQ0MGMtYWRiMS05MmU4Y2U3N2QzYTBjKSwiaWF0IjoxNDYwMNYwODMzxQ.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
String secret = "6x3Ox29Xx1xxxXXiI0P3PL5pWdNUE5sPcXXXLxxxX";
try {
Claims claims = Jwts.parser().setSigningKey(secret.getBytes("UTF-8")).parseClaimsJws(token).getBody();
Date issuedDate = claims.getIssuedAt();
assert(issuedDate.before(new Date()));
} catch (Exception ex) {
ex.printStackTrace();
}
}
Yes it is possible. There are many libraries out there for working with JSON Web Tokens in Java. This is one example: https://github.com/jwtk/jjwt
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With