Verifying ID tokens with Firebase Authentication

Asked 4/2, 2019 at 14:16 Answered 25/5, 2020 at 16:14

Solved node.js firebase firebase-authentication firebase-admin

We are starting the development of a web app and were thinking of using Firebase Authentication to handle our sign up flow. However, we are unsure about how the ID token verification works. It seems possible to verify a user with its token outside the Firebase realm. We are thinking of having a Node.js app on Google Kubernetes Engine – as far as I know, it does not integrate with Firebase Authentication.

Firebase provides this example on how to verify ID tokens using the Firebase Admin SDK:

// idToken comes from the client app (shown above)

admin.auth().verifyIdToken(idToken)
  .then(function(decodedToken) {
    var uid = decodedToken.uid;
    // ...
  }).catch(function(error) {
    // Handle error
  });

My question is whether or not Firebase has to make a call to its servers in order to verify the ID token on each user request – which would add a delay –, or if it caches the cryptographic keys required to verify the token for a long time – that's how I assume it works.

Caudle answered 4/2, 2019 at 14:16 Comment(1)

i have similar issue when running on emulator getting an error . The Firebase ID token has been revoked – Eli 3/1, 2022 at 15:8

When you call verifyIdToken, the Admin SDK decodes the token with the public key and verifies that the signature is valid. It downloads this key from Google's servers, but it's cached for 24 hours (since it hardly ever changes). After verifying the token, it optionally checks whether the token was revoked, which requires another call to the Firebase Authentication servers. This request happens for each call to verifyIdToken.

You can check this against the source code.

Kersten answered 4/2, 2019 at 15:11 Comment(4)

verifyIdToken()fetches public keys from Google servers. But these get cached up to 24 hours, and so the RPC call overhead gets amortized. Revocation check requires a non-cacheable RPC call, but the SDK only does it if explicitly asked for -- verifyIdToken(idToken, true) – Despiteful 4/2, 2019 at 19:28

Thanks for that clarification Hiranya. Can you give a link to the SDK code where the public keys are gotten? I looked for that, but couldn't find it. – Kersten 4/2, 2019 at 20:3

Hi Puf. Here you go: github.com/firebase/firebase-admin-node/blob/… – Despiteful 4/2, 2019 at 21:25

So according to source and @HiranyaJayathilaka comment the second part of this answer is not correct, right? ("After verifying the token, it checks whether the token was revoked, which requires another call to the Firebase Authentication servers") since if I dont pass check checkRevoked=true no http call is made, am I missing something? – Huggermugger 18/4, 2020 at 14:8

I have a similar use case where I'm trying to use Firebase authentication in my app. Does the idToken need to be passed in with every request once the user is logged in (and then correspondingly verified by the backend on every request)?

EDIT: looks like Hiranya answered the question here: Firebase Token Authentication using Django

Chaco answered 25/5, 2020 at 16:14 Comment(0)

Recommended topics

Hot tags