-
|
Firstly, thanks for your work on this package! I'm trying to verify a session cookie from Google Firebase following the directions here, guided by this sample implementation in Python. From the docs, verification should use algorithm "RS256" and a At present time, that URL resolves to a JSON object like this My attempt(Forgive my ignorance - a lot of this is over my head, but I have read the docs and other discussions..) I've tried using The error message I get is
Further notes
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJuYW1lIjoiTXlzdGVyaW91cyBVc2VyIiwic3RyaXBlIjp7ImNvbm5lY3QiOnsiaWQiOiJhY2N0XzFPWUFDMDRJS2Y2dklNSEIiLCJwYXlvdXRzX2VuYWJsZWQiOmZhbHNlLCJmZWVfcGN0IjowLjEsImZlZV9hbXQiOjAuM30sImN1c3RvbWVyIjp7ImlkIjoiY3VzX1BNdTBLejdKVmJJcUhsIiwic3Vic2NyaXB0aW9ucyI6e30sInB1cmNoYXNlcyI6W119fSwicXVvdGFzIjp7Im1heF9wcm9kdWN0cyI6MTAwLCJtYXhfcG9zdHMiOjMwMCwibWF4X2RlcHRoIjo2LCJtYXhfZmlsZXMiOjEwMDAsIm1heF9maWxlX2J5dGVzIjo1MDAwMDAwLCJzdG9yYWdlX2J5dGVzIjoxMDAwMDAwMDB9LCJyb2xlIjoidXNlciIsImVtYWlsIjoiZm9vQGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiYXV0aF90aW1lIjoxNzA1MTYzNzc5LCJ1c2VyX2lkIjoiVTEzVEgzYWZMMnpicGNQZ1hVbGdXc3BrTFREciIsImZpcmViYXNlIjp7ImlkZW50aXRpZXMiOnsiZW1haWwiOlsiZm9vQGdtYWlsLmNvbSJdfSwic2lnbl9pbl9wcm92aWRlciI6InBhc3N3b3JkIn0sImlhdCI6MTcwNTE2Mzc4NCwiZXhwIjoxNzA1NTk1Nzg0LCJhdWQiOiJzY2lwcmVzcy1kZXYiLCJpc3MiOiJodHRwczovL3Nlc3Npb24uZmlyZWJhc2UuZ29vZ2xlLmNvbS9zY2lwcmVzcy1kZXYiLCJzdWIiOiJVMTNUSDNhZkwyemJwY1BnWFVsZ1dzcGtMVERyIn0. Any guidance here would be great, thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 8 replies
-
// CACHE THIS FOR SUBSEQUENT REQUESTS
const JWKS = jose.createRemoteJWKSet(new URL('https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com'))
const { payload, protectedHeader: header } = await jose.jwtVerify(
jwt,
JWKS,
{
issuer,
audience,
}
)
console.log({ payload, header })As for your development tokens, they're Unsecured JWT so you need to use const { payload, header } = jose.UnsecuredJWT.decode(jwt) // ONLY IN DEVELOPMENT ENVIRONMENTS
console.log({ payload, header }) |
Beta Was this translation helpful? Give feedback.
-
|
Sure thing. |
Beta Was this translation helpful? Give feedback.
-
|
If it's helpful, Firebase's logic for token verification appears to be here. Note that I have used their |
Beta Was this translation helpful? Give feedback.
-
|
UPDATE: I think I found the issue. Firebase docs give the wrong URL, as indicated here
I can see my |
Beta Was this translation helpful? Give feedback.
-
|
It would appear you're mixing up firebase's Session Tokens with ID Tokens from ??their other interfaces. These are not the same. The above works for ID Tokens, the below works for their Session Tokens. The session token's issuer keys are not to be found in a JWKS format but only in their weird format here. To verify their Session Tokens you need to work with this weird format yourself, createRemoteJWKSet cannot do this for you because it's not a JSON Web Key Set, a rudimentary version would look like so: import * as jose from "jose";
let publicKeys;
async function sessionPublicKeyResolver(protectedHeader) {
const { kid, alg } = protectedHeader;
if (!publicKeys || !(kid in publicKeys)) {
publicKeys = await fetch(
"https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys"
).then((r) => r.json());
}
// key object was not cached yet
if (typeof publicKeys[kid] === "string") {
publicKeys[kid] = await jose.importX509(publicKeys[kid], alg);
}
return publicKeys[kid];
}
const { payload, protectedHeader: header } = await jose.jwtVerify(
sessionToken,
sessionPublicKeyResolver,
{
issuer,
audience,
}
);
console.log({ payload, header }); |
Beta Was this translation helpful? Give feedback.
-
|
This worked! I cannot thank you enough! |
Beta Was this translation helpful? Give feedback.
As for your development tokens, they're Unsecured JWT so you need to use
jose.UnsecuredJWT.decode. Just be sure to only useUnsecuredJWTin development environments.