I'm using Firebase in a project where I use Firebase token ID as bearer token to authenticate user.
Project works ok but I want to know how works verifyIdToken() when is cached.
Now, the project works in this way:
- Client log into client APP and retrieve a Firebase tokenId
- Client call server using tokenId as Bearer token to be authorized.
- Server uses
verifyIdToken()to verify user.
The question is related about verifyIdToken() method and if is neccesary call Firebase API on each new token.
I've read this question where says:
VerifyIdToken() is also optimized for performance. It caches the Firebase token public cert (valid for 6 hours) which is used to validate the token signature on local machine. No RPC is involved except for downloading the public cert.
Also, this answer says:
When you call verifyIdToken, the Admin SDK decodes the token with the public key and verifies that the signature is valid. It downloads this key from Google's servers, but it's cached for 24 hours
And the comment:
verifyIdToken() fetches public keys from Google servers. But these get cached up to 24 hours, and so the RPC call overhead gets amortized.
But, what cert is downloaded and cached? From user or project?
So, do server needs a call to Firebase API on each new tokenId getting from the client or can the server decode without internet connection using cached cert?
The main goal is to decrease number of calls to Firebase API, so I want to know if with perm cached downloaded every 24h, server can decode every valid token for the project without internet.
Thanks in advance.
