I'm considering to use Firebase to perform identity verification. I am new to JWT, so my apologies if this is an obvious question, but I don't understand how the verification is actually done. It seems that FirebaseAuth.getInstance().verifyIdToken(idToken) works asynchronously, as the result is obtained via a listener. I understand that some certificates are used as described here, and that those certificates are rotated regularly. Does it mean that networking is required between my back-end server and Firebase server's each time I will call verifyIdToken()? Isn't it a problem ?
What does Firebase server side verifyIdToken() do under the hood?
Asked Answered
In order to verify Firebase ID tokens, the Firebase Auth public certs need to be retrieved (network request) and these are rotated on a regular basis. These are needed to ensure the Id token has not been tampered with. The JWT is first parsed, the algorithm to encrypt the token is checked to see if it matches the expected one, the signature is then verified using the public key obtained, finally the JWT claims are validated ensuring the token has not expired.
Is that a network request for every invocation of ` admin.auth().verifyIdToken(idToken)`? –
Starryeyed
No, the public certs can be cached. They don't get rotated that often. When they expire, a network request is needed. The majority of the time, you just use the cached ones. –
Haemic
will it return a new token if it has been expired? –
Liva
© 2022 - 2024 — McMap. All rights reserved.
verifyIdTokenon my app when I tried migrating it to Firebase. You're correct that it works asynchronously (and I had a problem with this on my stack configuration). On my setup,verifyIdTokenwill be called on a REST API that requires theidToken. Once accepted, it does its usual thing. So for me, a network call will be required between the back-end server and Firebase's. – Rog