如何在 Python 中解码 Firebase JWT 令牌 [英] How to decode Firebase JWT token in Python
问题描述
我添加了 Firebase 以允许客户端直接从 Web 应用客户端(浏览器)进行身份验证.我正在使用
我真的不知道如何找到这个秘密,以及如何验证 JWT id 令牌.Firebase 文档(第三方部分)的信息是:
<块引用>最后确保ID令牌是由私钥签名的对应于令牌的孩子声明.获取公钥https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com并使用 JWT 库来验证签名.使用值来自该端点的响应的 Cache-Control 标头中的 max-age知道何时刷新公钥.
我尝试将整个 json blob 从那个 googleapis url 粘贴到 JWT 调试器中,但仍然收到无效签名"警报.我不明白如何使用该公钥.
python-jose 应该适用于这种方法吗?如果是这样,我应该用什么来获取秘密?如果没有,有人能指出我正确的方向吗?
谢谢.
我终于在这篇文章中找到了我想要的答案:使用 python-jose 将 Python 后端从 Gitkit 迁移到 Firebase-Auth 以进行令牌验证
自发布以来,对 python-jose 包进行了更新,为 firebase id 令牌提供了更好的支持.这是一些关于如何使用 python 解码 firebase id 令牌的工作代码(jose version 1.3.1):
导入urllib、json从何塞进口 jwtidtoken = ""target_audience = ""certificate_url = 'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com'响应 = urllib.urlopen(certificate_url)证书 = response.read()证书 = json.loads(certs)#如果无效会抛出错误user = jwt.decode(idtoken, certs, algorithm='RS256', Audience=target_audience)打印用户 I have added Firebase to allow clients to authenticate directly from the web app client (browser). I am using the firebase-web JS package and it works great. I can see in my browser that I receive a user object with information about the user, including an idToken.
I need to then authenticate this user on my server backend, which is python django. In the Firebase docs I found a how-to for exactly what I am trying to do, which is to verify the id token.
Since they don't have the supported Firebase sdk for python, I need to use a third party solution. I have come to the python-jose package after finding it listed on the jwt.io site. The example looks simple enough:
jwt.decode(token, 'secret', algorithms=['RS256'])
This is my first time using JWT. I don't know what to use for the 'secret'. I tried pasting my id token as token, and the web API key from the Firebase console for secret, but got this error:
jose.exceptions.JWKError: RSA key format is not supported
I also tried the JWT debugger, which seems to be reading most of my id token correctly, but the signature verification is looking for a public and/or a private keys, which like the 'secret' are escaping me.
I am really at a loss for how to find this secret, and how to verify the JWT id token in general. The information on the Firebase docs (third-party section) is:
Finally, ensure that the ID token was signed by the private key corresponding to the token's kid claim. Grab the public key from https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com and use a JWT library to verify the signature. Use the value of max-age in the Cache-Control header of the response from that endpoint to know when to refresh the public keys.
I have tried pasting the whole json blob from that googleapis url into the JWT debugger, but still getting an "invalid signature" alert. I don't understand how to use that public key.
Should python-jose work for this approach? If so, what should I use for the secret? If not, can someone point me in the right direction?
Thanks.
I finally found the answer I was looking for in this post: Migrating Python backend from Gitkit to to Firebase-Auth with python-jose for token verification
Since the time of the post there have been updates made to the python-jose package, which gives better support for firebase id tokens. Here is some working code ( jose version 1.3.1 ) on how to use python to decode the firebase id token:
import urllib, json
from jose import jwt
idtoken = "<id token passed to server from firebase auth>"
target_audience = "<firebase app id>"
certificate_url = 'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com'
response = urllib.urlopen(certificate_url)
certs = response.read()
certs = json.loads(certs)
#will throw error if not valid
user = jwt.decode(idtoken, certs, algorithms='RS256', audience=target_audience)
print user
这篇关于如何在 Python 中解码 Firebase JWT 令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
