This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

validate firebase ID token through the use of jwt-verify

Posted on 08-18-2023 12:14 AM
fanxu
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi community,

I am working on integrate firebase cloud functions with apigee, there are one challenge I have is how to validate firebase ID token through the use of jwt-verify.

The ID token is generated from the frontend firebase SDK,  and below is my JWT configs. The token is valid but from the apigee i am keep getting below:

{
"fault": {
"faultstring": "Invalid token: policy(JWT-qashiertest)",
"detail": {
"errorcode": "steps.jwt.InvalidToken"
}
}
}


where my jwt-verify configs is:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT continueOnError="false" enabled="true" name="JWT-qashiertest">
<DisplayName>JWT-qashiertest</DisplayName>
<Algorithm>RS256</Algorithm>
<Source>request.header.authorization</Source>
<PublicKey>
<!-- <Value ref="private.jwks"/> -->
</PublicKey>
<TimeAllowance>3650d</TimeAllowance>
<Audience>{firebaseId}</Audience>
</VerifyJWT>


May I know which part I config it wrong?

Thanks!

 



0 6 679
Topic Labels
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

The JWKS uri should be

https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com

Not

https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com 

The VerifyJWT policy requires a JWKS endpoint. It cannot consume the "metadata/x509" format for the URL you specified.

0 Likes

Posted on --/--/---- --:-- AM
ajithsk25
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

@dchiesa1 I was also facing the same issue and used same policy config in Apigee and tried changing the JWKS uri to https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com. But still gets the same error. 

Can you please help?

Posted on --/--/---- --:-- AM
ajithsk25
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

 

@dchiesa1 I am using the same Apigee policy to validate firebase JWT and also changed the JWKS uri to 

https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com

However, it still gives me invalid token error.
Can you please help ?

Thanks!


Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to ajithsk25
Reply posted on --/--/---- --:-- AM

Then it is an invalid token.  Have you checked the token in an online token decoder, like https://dinochiesa.github.io/jwt/ ?

Check that the issuer is correct, that the algorithm is what you expect, for a Firebase token. 

(I'm not a firebase expert) 

 

Posted on --/--/---- --:-- AM
ajithsk25
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Issue fixed with the below policy by removing the source. 

If you pass the JWT in the Authorization header as a bearer token (with the Bearer prefix), do not specify the Source element in the policy configuration.

https://cloud.google.com/apigee/docs/api-platform/reference/policies/verify-jwt-policy#source

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT continueOnError="false" enabled="true" name="JWT-RS256-Firebase">
<Algorithm>RS256</Algorithm>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<PublicKey>
<JWKS uri="https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com"/>
</PublicKey>
<Issuer>https://securetoken.google.com/{firebaseId}</Issuer>
</VerifyJWT>

 

Hope this helps. Thanks!

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to ajithsk25
Reply posted on --/--/---- --:-- AM

ahhh yes.  I should. have caught that!   Glad you found it.

Top Solution Authors
View all