Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What does Firebase server side verifyIdToken() do under the hood?

Tags:

token

firebase

verify

firebase-authentication

I'm considering to use Firebase to perform identity verification. I am new to JWT, so my apologies if this is an obvious question, but I don't understand how the verification is actually done. It seems that FirebaseAuth.getInstance().verifyIdToken(idToken) works asynchronously, as the result is obtained via a listener. I understand that some certificates are used as described here, and that those certificates are rotated regularly. Does it mean that networking is required between my back-end server and Firebase server's each time I will call verifyIdToken()? Isn't it a problem ?

like image 879
guik Avatar asked Nov 22 '16 22:11

guik

People also ask

How does Firebase authentication work?

Firebase Authentication provides backend services, easy-to-use SDKs, and ready-made UI libraries to authenticate users to your app. It supports authentication using passwords, phone numbers, popular federated identity providers like Google, Facebook and Twitter, and more.

How do I check my Firebase auth token?

To do so securely, after a successful sign-in, send the user's ID token to your server using HTTPS. Then, on the server, verify the integrity and authenticity of the ID token and retrieve the uid from it. You can use the uid transmitted in this way to securely identify the currently signed-in user on your server.

What is authentication server in Firebase?

This new account is stored as part of your Firebase project, and can be used to identify a user across every app in your project, regardless of how the user signs in. In your apps, you can get the user's basic profile information from the Firebase.Auth.FirebaseUser object: Firebase.

1 Answers

In order to verify Firebase ID tokens, the Firebase Auth public certs need to be retrieved (network request) and these are rotated on a regular basis. These are needed to ensure the Id token has not been tampered with. The JWT is first parsed, the algorithm to encrypt the token is checked to see if it matches the expected one, the signature is then verified using the public key obtained, finally the JWT claims are validated ensuring the token has not expired.

like image 105
bojeil Avatar answered Sep 18 '22 00:09

bojeil
Sign in to Comment

Related questions

How to get a registration token for Firebase Cloud Messaging without requesting permission for notifications?
Firebase, is it possible to place verifyPhoneNumber outside activity without passing activity reference to it?
SyntaxError: Unexpected token 'const' -- despite the fact that I replaced const
How to search anywhere in string in Firebase Database - Android
Firebase Phone Authentication Error: The SMS Code Has Expired
AngularFireList is not assignable to type 'Observable<Response>
google sign-in without firebase
why do I receive multiple FCM notifications on android 7
LGE Nexus 5 in Google Play beta keeps crashing with NoClassDefFoundError - but which class is it?
Enabling Firestore Persistence for React Native
Cloud functions for firebase - finished with status: 'timeout' - info not error
Does firebase login:ci have access to all my projects?
How to share provider data from streambuilder via different pages (contextes)
Firebase crashlytics dashboard keeps Loading [closed]
Development plan in Firebase easily "DoSsable"?
Error: File google-services.json is missing. The Google Services Plugin cannot function without it.
Cannot create new project in Firebase console
How to Sync Google Sheets spreadsheet with the Firebase database?
How to exclude item from a FirebaseRecyclerAdapter
moving my app's backend from Firebase to AWS

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!