Firebase Admin SDK : Verifying ID tokens from the REST API

3
votes

I'm trying to verify Id tokens received by signing in with the REST API for authentication by using the verifyIdToken(idToken) method in the Admin SDK but instead of getting the decoded token I get the error:

Firebase ID token has incorrect "iss" (issuer) claim. Expected "https://securetoken.google.com/"" but got "https://identitytoolkit.google.com/". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.

As I said above I'm getting my token from the REST API, so I was expecting this to work. The response I get from the API is this:

{
    "kind": "identitytoolkit#VerifyPasswordResponse",
    "localId": "pu0yjIc8tnR85X2gERdtLx684DK2",
    "email": "test@test.com",
    "displayName": "",
    "idToken": "<token-id>",
    "registered": true
}

Is this considered a custom token? if so, how can I verify it?

2
firebasefirebase-authenticationfirebase-admin
Consider idToken expiration time is small about one hour.Khaled Lela
try to validate your idToken by this endpoint, googleapis.com/oauth2/v3/tokeninfo?{idToken}Khaled Lela
@KhaledLela Can you give me a link to the Docs for this endpoint?Samuel E.
Unfortunately, ID tokens returned by the verifyPassword endpoint, are not Firebase ID tokens.Hiranya Jayathilaka
@HiranyaJayathilaka So how would I verify this tokens?Samuel E.

2 Answers

2
votes

As of Sep 2018, the issuer of the ID Token returned by REST API seems to be changed from https://identitytoolkit.google.com/ to https://securetoken.google.com/. And I can successfully verify this id token in firebase admin SDK.

[Edit]: The firebase admin SDK still fails to verify the Facebook ID Token returned by identitytoolkit's verifyAssertion REST API.

0
votes

According to Google Developer

  • Calling the tokeninfo endpoint

An easy way to validate an ID token for debugging and low-volume use is to use the tokeninfo endpoint. Calling this endpoint involves an additional network request that does most of the validation for you, but introduces some latency and the potential for network errors.

To validate an ID token using the tokeninfo endpoint, make an HTTPS POST or GET request to the endpoint, and pass your ID token in the id_token parameter. For example, to validate the token "XYZ123", make the following GET request:

https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123

{
 // These six fields are included in all Google ID Tokens.
 "iss": "https://accounts.google.com",
 "sub": "110169484474386276334",
 "azp": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
 "aud": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
 "iat": "1433978353",
 "exp": "1433981953",

 // These seven fields are only included when the user has granted the "profile" and
 // "email" OAuth scopes to the application.
 "email": "testuser@gmail.com",
 "email_verified": "true",
 "name" : "Test User",
 "picture": "https://lh4.googleusercontent.com/-kYgzyAWpZzJ/ABCDEFGHI/AAAJKLMNOP/tIXL9Ir44LE/s99-c/photo.jpg",
 "given_name": "Test",
 "family_name": "User",
 "locale": "en"
}