Is it possible to validate a firebase token (JWT) from server (Java)

Question

Browser Client - Uses Firebase to sign in and has the firebase userid, token in the local storage.

{
  "typ": "JWT",
  "alg": "HS256"
}
{
  "v": 0,
  "d": {
    "provider": "password",
    "uid": "xxxxd757-5f7f-xx0c-adb1-xxe8ce77d3a0"
  },
  "iat": 1460560833
} 

When the browser calls the server - a REST API end point , the token is passed as a Request header.

Now, the server is configured with a Firebase Secret.

My question: is it possible to validate the firebase issued token at the server side? the server is not used for authentication (the user name /pass validation is done via firebase api from browser).

Answer 1

I suggest this library: https://github.com/auth0/java-jwt

Open source project with very concise API from security focused company.

Answer 2

Thanks luboskrnac and Mark B. I tried out both Java-jwt and jjwt libraries and used jjwt in my code.

@Test
public void tokenValidateTest() {
    String token = "exX0xXAi0iJKV1QiLCJhbGciOiJIUzI1NiJ9.eyXK2IjxxxJkIjp7InByb3ZpZGVyIjoicGFzc3dvcmQiLCJ1aWQiOiI5NDA2ZDc1Ny01ZjdmLTQ0MGMtYWRiMS05MmU4Y2U3N2QzYTBjKSwiaWF0IjoxNDYwMNYwODMzxQ.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
    String secret = "6x3Ox29Xx1xxxXXiI0P3PL5pWdNUE5sPcXXXLxxxX";

    try {
        Claims claims = Jwts.parser().setSigningKey(secret.getBytes("UTF-8")).parseClaimsJws(token).getBody();

        Date issuedDate = claims.getIssuedAt();


        assert(issuedDate.before(new Date()));

    } catch (Exception ex) {
        ex.printStackTrace();
    }

}

Answer 3

Yes it is possible. There are many libraries out there for working with JSON Web Tokens in Java. This is one example: https://github.com/jwtk/jjwt