Firebase ID token has invalid signature

Hi all, I'm somehow new to NodeJS and I've only used Google Firebase a few times. Now, I'm trying to verify an idToken generated using getIdToken() method whenever a user signs up or signs in. The token generation works fine but if I try to use this token to authorize a user admin.auth().verifyIdToken(idToken) on another route, I get this error Firebase ID token has invalid signature on Postman. I tried to verify the token on jwt.io as well, it gave error Invalid Signature.

I tried switching to different algorithms, some eventually made the token valid on jwt, but there is usually a VERIFY SIGNATURE box by the bottom-right which I don't really know what to fill there. Well, I've tried copying different newly generated valid tokens by jwt after changing algorithm, but I still get Firebase ID token has invalid signature from Postman.

Does anyone know what the problem may be? Please help.

The problem comes from the Firebase Emulator Auth. The Firebase-hosted Auth is unable to verify JWT token generated by the Firebase Emulator Auth.

To verify the token manually on jwt.io, you need to grab one of the public keys from google: https://www.googleapis.com/robot/v1/metadata/x509/[email protected]

To choose the correct key, find the one that corresponds to your kid from jwt.io.

Paste in the correct corresponding value and now your token should verify correctly (be sure to clear out any \n characters):

For easier programmatic verification, the "JWK URI" is https://www.googleapis.com/service_accounts/v1/jwk/[email protected]

Source: https://firebase.google.com/docs/auth/admin/verify-id-tokens

TLDR;

Prefer log from dart:developer over print and debugPrint.

I was not using the emulator...

I'm new to Firebase and have experienced this, and even upvoted GeniusHawlah's as Taras Mazurkevych's answers... But couldn't find anything in the Firebase setup related to the simulator that I did.

So it happened I was testing my firebase using a truncated JWT token, printed from Dart's debugPrint (which limits truncates output). I was successful in using log from dart:developer!

I was enlightened by https://github.com/flutter/flutter/issues/22665#issuecomment-456858672.

I agree with Genius Hawlah's answer, the problem is the Firebase Emulator Auth. As a workaround I suggest to start emulators without the Auth one with the --only flag, for example firebase emulators:start --only firestore,functions, and authenticate with a user you have in the production Authentication

For some reason, verifyIdToken function throws "Firebase ID token has invalid signature" each time for valid tokens when used in Firebase Emulator locally. I fixed this problem by starting using firebase hosted auth instead of emulator auth (remove auth property from firebase.json). Also, I reported the bug to Firebase.

I encountered a similar problem, figured out that my backend was pointing to the local emulator, but the frontend was pointing to the remote Firebase Auth (because of a bug in the code firebase.auth().useEmulator(...) wasn't called)

As you can see in the source code, the firebase-admin package behaves differently when there is an Auth emulator available. You can either not start it to begin with or make it undiscoverable by removing its address from process.env.

delete process.env.FIREBASE_AUTH_EMULATOR_HOST

Source reference:

public verifyIdToken(idToken: string, checkRevoked = false): Promise<DecodedIdToken> {
    const isEmulator = useEmulator();
    return this.idTokenVerifier.verifyJWT(idToken, isEmulator)
        .then((decodedIdToken: DecodedIdToken) => {
        // Whether to check if the token was revoked.
        if (checkRevoked || isEmulator) {
            return this.verifyDecodedJWTNotRevokedOrDisabled(
            decodedIdToken,
            AuthClientErrorCode.ID_TOKEN_REVOKED);
        }
        return decodedIdToken;
        });
}

First, you need to know if your token is really invalide or if it's an error due to your configuration.

To know easily that, go to jwt.io and grab the kid parameter in the header of the token. This is the key of a public certificat from google.

Go to the page of the open key of google, open your browser's console and hit:

copy(JSON.parse(document.querySelector('pre').textContent).<kid>.replaceAll('\n', ''))

Make sure to match the kid value from JWT.io with the correct key of the JSON parsed ! Once this command is executed, the certificat is copied in your clipboard so you can directly paste it in the input for VERIFY SIGNATURE encoded and TADA ! Signature really Verified... or not, now you know !

If it's verified.. well sorry body but it's your configuration and for me it was the usage of the auth emulator AND the var env FIREBASE_AUTH_EMULATOR_HOST (to comment). I hope you'll find your solution <3

Flutter Firebase JWT Token Invalid Signature Issue

I am currently facing an issue with Firebase authentication in my Flutter application and node js. The problem arises when I try to obtain and print the JWT token using the getIdToken() method. The token is being identified as having an invalid signature when checked on jwt.io. so, I come up with this approach:

void initState() {
  super.initState();
  get();
}

get() async {
  final tokenResult = await FirebaseAuth.instance.currentUser;
  String? token = await tokenResult?.getIdToken();

  while (token!.length > 0) {
    int initLength = (token.length >= 500 ? 500 : token.length);
    print(token.substring(0, initLength));
    int endLength = token.length;
    token = token.substring(initLength, endLength);
  }
}

Faced the same problem with firebase auth emulator and adding to @GeniusHawlah response. Ensure your FIREBASE_AUTH_EMULATOR_HOST environment variable is not loaded.
Removing this environment variable solved my issue.

Take a look at this thread: https://github.com/gladly-team/next-firebase-auth/issues/184

I was searching for why my firebase was getting "Firebase ID token has invalid signature" while trying to connect to the emulator in 2024 and this issue came up. So if you're used to running your backend with firebase serve --only functions and switching to emulator this is really confusing. It's because even if you do custom token authentication in your functions your initial login is still getting a token from the live environment. The emulator is automatically connecting your functions to the auth emulator if it's running. This means it doesn't see that user. If you run the auth emulator you need to also have your front end firebase get an auth token from the auth emulator. To do this you need to add this to your react app when you use auth ONLY when you're using the emulator:

const auth = firebase.auth();
auth.useEmulator("http://127.0.0.1:9099");

Or the modular version if you import modularly:

const auth = getAuth();
connectAuthEmulator(auth, "http://127.0.0.1:9099");

It's explained here: https://firebase.google.com/docs/emulator-suite/connect_auth#web_1

Likewise if you want to connect directly to other services from your front end you have to specify in your frontend that it needs to use your local emulator as per https://firebase.google.com/docs/emulator-suite/connect_and_prototype

Also on a side note if you run --only functions in the emulator they will automatically connect to the live environment so you don't need to alter anything about your front end to run your code in that case. They will both connect to live.

emragins answer is great!

One thing which emragins wrote but it wasn't clear for me is that you need to copy the whole text between

• -----BEGIN CERTIFICATE-----
• -----END CERTIFICATE-----\n

and made replace("\n","").

The result from this operation you can paste to the JTW.io. VERIFY SIGNATURE field.