Menu
We are starting the development of a web app and were thinking of using Firebase Authentication to handle our sign up flow. However, we are unsure about how the ID token verification works. It seems possible to verify a user with its token outside the Firebase realm. We are thinking of having a Node.js app on Google Kubernetes Engine – as far as I know, it does not integrate with Firebase Authentication.
Firebase provides this example on how to verify ID tokens using the Firebase Admin SDK:
// idToken comes from the client app (shown above)
admin.auth().verifyIdToken(idToken)
.then(function(decodedToken) {
var uid = decodedToken.uid;
// ...
}).catch(function(error) {
// Handle error
});
My question is whether or not Firebase has to make a call to its servers in order to verify the ID token on each user request – which would add a delay –, or if it caches the cryptographic keys required to verify the token for a long time – that's how I assume it works.
594
When you call verifyIdToken, the Admin SDK decodes the token with the public key and verifies that the signature is valid. It downloads this key from Google's servers, but it's cached for 24 hours (since it hardly ever changes). After verifying the token, it checks whether the token was revoked, which requires another call to the Firebase Authentication servers. This request happens for each call to verifyIdToken.
You can check this against the source code.
verifyIdTokenfetchPublicKeysverifyJWTverifyDecodedJWTNotRevoked
100
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
