Where do you get/find the JWT-Secret from firebase?

4
votes

I'm using firebase for my web/mobile apps and now have a back-end API I'm looking to use as well. The API requires a JWT token to authenticate the requests and to set it up, I need to specify the JWT Secret that is used to encrypt/decrypt the token.

In firebase, I believe I retrieve the token using const token = await firebase.auth().currentUser.getIdToken(); This is what I pass to the API.

However, I have not figured out where I get the JWT-secret to configure? I have tried the API key that is shown in firebase console, I have also tried the server/client keys found at my console at https://console.developers.google.com.

however, no matter what, I'm getting a JWSInvalidSignature when trying to make requests to the API Call.

Has anyone got this working? Where do I get the JWT-secret from firebase to configure on the API back-end? Thanks in advance.

Here are the details: 1. I am using a service called postGrest which auto-creates a web API on top of postgres DB. In order to authenticate the requests, you configure the service by specifying a custom claim called "role", and you also need to specify the JWT-secret so it can decode the token.

Here is my simple call to the API:

           const fetchdata = async () => {
           const token  = await firebase.auth().currentUser.getIdToken();

        let axiosConfig = {
           headers: {
              'Authorization': 'Bearer' + token
                   } 
             }
       const data = await axios.get(`http://localhost:8080/users`, 
       axiosConfig);
}

Also note, I can simulate this in the bash command line using the following code: Note here that I'm getting the token from the getIdToken() above.

   export TOKEN="eyJhbGciOiJSUzI1NiIsImtpZCI6ImQ2YzM5Mzc4YWVmYzA2YzQyYTJlODI1OTA0ZWNlZDMwODg2YTk5MjIiLCJ0eXAiOiJKV1QifQ.eyJ1c2VyaWQiOiI1NSIsImlzcyI6Imh0dHBzOi8vc2VjdXJldG9rZW4uZ29vZ2xlLmNvbS9wb3N0Z3Jlc3QtYjRjOGMiLCJhdWQiOiJwb3N0Z3Jlc3QtYjRjOGMiLCJhdXRoX3RpbWUiOjE1NzExNTIyMjQsInVzZXJfaWQiOiJNMXZwQ3A2ZjlsaFdCblRleHh1TjlEdXIzUXAyIiwic3ViIjoiTTF2cENwNmY5bGhXQm5UZXh4dU45RHVyM1FwMiIsImlhdCI6MTU3MTE1OTQ0NSwiZXhwIjoxNTcxMTYzMDQ1LCJlbWFpbCI6InNwb25nZWJvYkBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImZpcmViYXNlIjp7ImlkZW50aXRpZXMiOnsiZW1haWwiOlsic3BvbmdlYm9iQGdtYWlsLmNvbSJdfSwic2lnbl9pbl9wcm92aWRlciI6InBhc3N3b3JkIn19.nKuovs0Gx_ZKp17dI3kfz6GQofIMEOTA8RqTluwEs-5r-oTbKgpG33uS7fs7txVxvWIb_3fbN3idzfDHZevprMkagbHOd73CxTFBM7pr1bD2OKSK9ZPYfSt9OhvgJL51vBN3voLcNAb5iWVVl2XMqkcXeDoBi8IOKeZr27_DsRx48GSi7HieHWscF1lujSEr2C9tdAek3YyNnr3IcGI8cTSPHPaIbYl-8CaHQO2fUiGHEAaD7sqHxp3otJio56zOoNAy44P_nwORlMFZC0Rm8SaATpbmIkgbGYWHZHty70lmlYGVHTuM_hr2s7z2YhAjuacvBMgusZpyoVnoe3FQeA"

    curl http://localhost:8080/contacts -H "Authorization: Bearer $TOKEN"

What's returned is: {"message":"JWSError JWSInvalidSignature"}

For the JWT-secret, I have tried several values, but none seem to work. This includes the "API Key" from firebase project, as well as trying "Generate key" which downloads a new .json file and inside there is a "private_key": that is along string.

1
firebasefirebase-authenticationjwt-auth
Could you edit the question to include the code that isn't working the way you expect?Doug Stevenson
updated post with snippet of code. The gist is I need to provide this api tool the JWT secret so it can decode the firebase token...and I don't know where i get that (or if I can)mike hennessy
And what code are you writing on the backend to validate the token which isn't working the way you expect?Doug Stevenson
I don't write the code, it's a webserver app called Postgrest. Here is a link to simple tutorial they show how to configure the JWT secret: postgrest.org/en/v6.0/tutorials/tut1.htmlmike hennessy
I think it would help a lot here to know exactly what the backend is doing or expecting.Doug Stevenson

1 Answers

1
votes

The instructions for using a third party library to validate a Firebase Auth ID token is here. It says the public key can be found here:

https://www.googleapis.com/robot/v1/metadata/x509/[email protected]