0
votes

I am using firebase mobile otp authentication. After successful authentication my android app receives a token which I have to verify on my django server. But while I was reading the docs of verifying this token, it comes out that if someone knows my firebase project-id, they can generate valid tokens anytime they want.

To get contec, look at the last method to verify firebase token at link

Isn't this quite risky, as once your firebase project id is known to someone, they can create fake tokens??

Also does custom authentication token help overcome this problem?

Thanks. Let me know if I have incorrectly understood the firebase token validation and it is not possible to create fake tokens once we know the firebase project-id.

1
"it comes out that if someone knows my firebase project-id, they can generate valid tokens anytime they want". How did you come to this conclusion? A user can get a token for their own account, but not for other accounts, and not for accounts that don't exist. - Doug Stevenson
@DougStevenson I haven't tried the method yet but the last method in the link in above question to verify the jwt token, needs to check only two parameters 'iss' and 'aud', which both are dependent on project-id so one can put a random 'uid' and encode it using jwt and send it to backend server. - hardik24
@DougStevenson the only explanation I can think is it is hard to guess the uid of any person associated with that project - hardik24

1 Answers

2
votes

ID tokens are signed by a private key owned by Firebase Auth. They cannot be forged. Note that the doc you've referenced also states:

Finally, ensure that the ID token was signed by the private key corresponding to the token's kid claim. Grab the public key from https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com and use a JWT library to verify the signature.

A forged ID token will not pass the signature check.