Firebase令牌验证 [英] Firebase Token Verification
问题描述
FirebaseUser
获取标记并将其发送到我的服务器。第一部分( header )包含算法(即RS256),第二部分( payload )包含所有与用户有关的数据。还有第三个部分是前两个签名,以便在后端进行验证。问题是,我不知道该怎么做。更具体地说。 我用 JWT.io 检查我的代币,并试图验证它没有运气。由于使用的算法是RS256,验证应该通过公钥完成。但是什么公钥呢?我试着用我的应用程序的keystore,用Google的证书试了一下,但是一直说它是无效的。我知道头的 kid
字段是签名密钥的ID,我应该查找它,但我不知道在哪里。 / p>
Firebase文档也无济于事。有一个关于身份标记验证的指南,但这只是无用的,因为它是Java / Node.JS,它仍然没有说任何关于公钥。
所以问题是:我从哪里得到公钥?
好的,我深入了解了Firebase Server SDK的来源并找到了公钥的位置:
https://www.googleapis.com/ robot/v1/metadata/x509/securetoken@system.gserviceaccount.com
不知道为什么他们不能把它放在他们的网站上...
无论如何,我不确定,但我猜这些键每天都会改变(就像OAuth2键一样),所以您必须检查并重新缓存他们在你的服务器每时每刻
另外,您必须检查下列值:
alg ==RS256
iss
: https://securetoken.google.com/<firebaseProjectID>
aud
:
子
b
I have a PHP backend and an Android client. With the client the users can log into my app using either Google or Facebook, both via Firebase. I get the token from the FirebaseUser
and send it to my server. It is straightforward that the first section (the header) contains the algorithm (which is RS256) and the second one (the payload) has all the user related data. There's a third section which is the signature of the first two to enable verification on my backend. The problem is, I don't know how to do that. More specifically with what.
I used JWT.io to check my token and tried to verify it with no luck. Since the algorithm used is RS256, the verification should be done via the public key. But what public key? I tried with my app's keystore, tried it with Google's certs, but it just keeps saying it's invalid. I understand that the header's kid
field is the signing key's ID and I should look for it, but I don't know where.
The Firebase docs don't help either. There is a guide about ID token verification, but that's just useless because it's Java / Node.JS and it still doesn't say anything about public keys.
So the question is: where do I get the public keys from?
Okay, so I dug into the source of the Firebase Server SDK and found the location of the public keys: https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com
Don't really know why they just couldn't put it on their website...
Anyways, I'm not sure, but I guess that these keys change on a daily basis (just like the OAuth2 keys do), so you must check and re-cache them on your server every now and then.
Also, you have to check the following values:
alg == "RS256"
iss
:https://securetoken.google.com/<firebaseProjectID>
aud
:<firebaseProjectID>
sub
is non-empty
Found these at this similar question (just scroll to the bottom of the answer), which was found by searching for that specific googleapis.com URL.
这篇关于Firebase令牌验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!