使用Firebase身份验证来验证ID令牌 [英] Verifying ID tokens with Firebase Authentication
问题描述
我们正在开始开发Web应用程序,并正在考虑使用Firebase身份验证来处理我们的注册流程.但是,我们不确定ID令牌验证的工作方式.似乎可以使用Firebase领域之外的令牌来验证用户.我们正在考虑在Google Kubernetes Engine上安装Node.js应用程序-据我所知,它不与Firebase身份验证集成.
We are starting the development of a web app and were thinking of using Firebase Authentication to handle our sign up flow. However, we are unsure about how the ID token verification works. It seems possible to verify a user with its token outside the Firebase realm. We are thinking of having a Node.js app on Google Kubernetes Engine – as far as I know, it does not integrate with Firebase Authentication.
Firebase提供了以下示例使用Firebase Admin SDK的ID令牌:
Firebase provides this example on how to verify ID tokens using the Firebase Admin SDK:
// idToken comes from the client app (shown above)
admin.auth().verifyIdToken(idToken)
.then(function(decodedToken) {
var uid = decodedToken.uid;
// ...
}).catch(function(error) {
// Handle error
});
我的问题是Firebase是否必须调用服务器以验证每个用户请求上的ID令牌(这会增加延迟),或者是否缓存了验证令牌所需的加密密钥?很长一段时间–我就是这么认为的.
My question is whether or not Firebase has to make a call to its servers in order to verify the ID token on each user request – which would add a delay –, or if it caches the cryptographic keys required to verify the token for a long time – that's how I assume it works.
推荐答案
调用 verifyIdToken 时,Admin SDK使用公共密钥对令牌进行解码并验证签名是否有效.它会从Google的服务器下载此密钥,但已缓存了24小时(因为它几乎从未更改过).验证令牌后,它将检查令牌是否已被吊销,这需要再次调用Firebase身份验证服务器.每次调用 verifyIdToken 都会发生此请求.
When you call verifyIdToken, the Admin SDK decodes the token with the public key and verifies that the signature is valid. It downloads this key from Google's servers, but it's cached for 24 hours (since it hardly ever changes). After verifying the token, it checks whether the token was revoked, which requires another call to the Firebase Authentication servers. This request happens for each call to verifyIdToken.
您可以对照源代码.
这篇关于使用Firebase身份验证来验证ID令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
