firebase verify id token gives: Firebase ID token has incorrect “iss”

4
votes

How do I verify idToken sent from the client on the server?

I am following the docs here using python. Basically I signed in on the client with email and password which returns the idToken, and then I send this idToken to server for verification, but got the error as below.

ValueError: Firebase ID token has incorrect "iss" (issuer) claim. Expected "https://securetoken.google.com/myproject" but got "https://identitytoolkit.google.com/". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.

I am pretty sure I generated the service account json in the same project as the client. Does anybody know what could be the issue?

My Server code looks like this:

from firebase_admin import credentials, initialize_app, auth

def is_authenticated(id_token):
    cred = credentials.Certificate("service-account.json")
    app = initialize_app(cred)
    return auth.verify_id_token(id_token, app)
2
pythonfirebasefirebase-authentication

2 Answers

8
votes

Besides sending the email and password, you also have to set the flag returnSecureToken to true, otherwise your IdToken will not be valid and you will also not get a refresh token.

curl 'https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=[API_KEY]' \
  -H 'Content-Type: application/json' \
  --data-binary '{"email":"[user@example.com]","password":"[PASSWORD]","returnSecureToken":true}'

Documentation

0
votes

It seems I followed the wrong docs on the client side; Eventually I followed this docs, and used the following code to extract the idToken which I sent to backend for verification:

firebase.auth().currentUser.getIdToken(/* forceRefresh */ true).then(function(idToken) {
  // Send token to your backend via HTTPS
  // ...
}).catch(function(error) {
  // Handle error
});