Hi community,
I am working on integrate firebase cloud functions with apigee, there are one challenge I have is how to validate firebase ID token through the use of jwt-verify.
The ID token is generated from the frontend firebase SDK, and below is my JWT configs. The token is valid but from the apigee i am keep getting below:
The JWKS uri should be
https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com
Not
https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com
The VerifyJWT policy requires a JWKS endpoint. It cannot consume the "metadata/x509" format for the URL you specified.
@dchiesa1 I was also facing the same issue and used same policy config in Apigee and tried changing the JWKS uri to https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com. But still gets the same error.
Can you please help?
@dchiesa1 I am using the same Apigee policy to validate firebase JWT and also changed the JWKS uri to
https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com
However, it still gives me invalid token error.
Can you please help ?
Thanks!
Then it is an invalid token. Have you checked the token in an online token decoder, like https://dinochiesa.github.io/jwt/ ?
Check that the issuer is correct, that the algorithm is what you expect, for a Firebase token.
(I'm not a firebase expert)
Issue fixed with the below policy by removing the source.
If you pass the JWT in the Authorization header as a bearer token (with the Bearer prefix), do not specify the Source element in the policy configuration.
https://cloud.google.com/apigee/docs/api-platform/reference/policies/verify-jwt-policy#source
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT continueOnError="false" enabled="true" name="JWT-RS256-Firebase">
<Algorithm>RS256</Algorithm>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<PublicKey>
<JWKS uri="https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com"/>
</PublicKey>
<Issuer>https://securetoken.google.com/{firebaseId}</Issuer>
</VerifyJWT>
Hope this helps. Thanks!
ahhh yes. I should. have caught that! Glad you found it.