How to verify Firebase id token

0
votes

I was following this https://firebase.google.com/docs/auth/admin/verify-id-tokens to retrieve the idToken in client and verify it on server.

On server side, I use the following Java code to initialize the SDK and verify the token:

  String json = // JSON generated from Firebase service account;
  ByteArrayInputStream serviceAccount =
      new ByteArrayInputStream(json.getBytes(Charsets.UTF_8));

  FirebaseOptions options =
      new FirebaseOptions.Builder()
          .setCredentials(GoogleCredentials.fromStream(serviceAccount))
          .setDatabaseUrl() // My database url
          .build();
  FirebaseApp defaultApp = FirebaseApp.initializeApp(options);
  FirebaseAuth defaultAuth = FirebaseAuth.getInstance(defaultApp);
  try {
      FirebaseToken firebaseToken = Tasks.await(
             defaultAuth.verifyIdToken(tokenFromClient));
      System.out.println("token email " + firebaseToken.getEmail());
      System.out.println("Successfully verify token");
  } catch (Exception e) {
      System.out.println("token verify error " + e);
  }

I got this error

java.util.concurrent.ExecutionException: com.google.firebase.auth.FirebaseAuthException: Error while verifying token signature.

There is deep stack trace trace from the SDK API:

Caused by: com.google.firebase.auth.FirebaseAuthException: Error while verifying token signature.
    at com.google.firebase.auth.internal.FirebaseTokenVerifier.verifyTokenAndSignature(FirebaseTokenVerifier.java:152)
    at com.google.firebase.auth.FirebaseAuth$2.call(FirebaseAuth.java:223)
    at com.google.firebase.auth.FirebaseAuth$2.call(FirebaseAuth.java:211)
    at com.google.firebase.tasks.Tasks$1.run(Tasks.java:82)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at com.google.apphosting.runtime.ApiProxyImpl$CurrentRequestThreadFactory$1$1.run(ApiProxyImpl.java:1233)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.google.apphosting.runtime.ApiProxyImpl$CurrentRequestThreadFactory$1.run(ApiProxyImpl.java:1227)
    at java.lang.Thread.run(Thread.java:745)
    at com.google.apphosting.runtime.ApiProxyImpl$CurrentRequestThread.run(ApiProxyImpl.java:1194)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1953)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:220)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1379)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1407)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
    at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:104)
    at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:981)
    at com.google.api.client.googleapis.auth.oauth2.GooglePublicKeysManager.refresh(GooglePublicKeysManager.java:172)
    at com.google.api.client.googleapis.auth.oauth2.GooglePublicKeysManager.getPublicKeys(GooglePublicKeysManager.java:140)
    at com.google.firebase.auth.internal.FirebaseTokenVerifier.verifySignature(FirebaseTokenVerifier.java:174)
    at com.google.firebase.auth.internal.FirebaseTokenVerifier.verifyTokenAndSignature(FirebaseTokenVerifier.java:146)
    ... 10 more

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1473)
    ... 26 more

In client, I set force refresh to true when get the id token, so I supposed the id token is not expired yet.

Any help is appreciated.

1
javafirebasefirebase-authenticationfirebase-admin
stackoverflow.com/questions/46114381/…James Poag
your steps looks ok. If you can check it with node.js admin sdk, that the token extracted from client is verified in nodejs, then the issue can be same as mentioned in above comment.Umar Hussain
Look at the deep stacktrace to figure out what the actual error/root cause is.Hiranya Jayathilaka
Uploaded the stack trace, looks like the certificate was not loaded properly.DiL

1 Answers

1
votes

The root cause was the wrong certificate. Our server is built on App Engine, but we replaced the certificate for project needs. After the certificate issue is fixed, the token verification is successful.