0
8
ViewsFirebase ID token has invalid signature even on jwt
Firebase ID token has invalid signature
Hi all, I'm somehow new to NodeJS and I've only used Google Firebase a few times.
Now, I'm trying to verify an idToken generated using getIdToken() method whenever a user signs up or signs in. The token generation works fine but if I try to use this token to authorize a user admin.auth().verifyIdToken(idToken) on another route, I get this error Firebase ID token has invalid signature on Postman. I tried to verify the token on jwt.io as well, it gave error Invalid Signature.
I tried switching to different algorithms, some eventually made the token valid on jwt, but there is usually a VERIFY SIGNATURE box by the bottom-right which I don't really know what to fill there. Well, I've tried copying different newly generated valid tokens by jwt after changing algorithm, but I still get Firebase ID token has invalid signature from Postman.
Does anyone know what the problem may be? Please help.
Santiago Trujillo
5 answers
Answer question0
For some reason, verifyIdToken function throws "Firebase ID token has invalid signature" each time for valid tokens when used in Firebase Emulator locally. I fixed this problem by starting using firebase hosted auth instead of emulator auth (remove auth property from firebase.json). Also, I reported the bug to Firebase.
0
The problem comes from the Firebase Emulator Auth. The Firebase-hosted Auth is unable to verify JWT token generated by the Firebase Emulator Auth.
0
TLDR;
Prefer log from dart:developer over printdebugPrint
I was not using the emulator...
I'm new to Firebase and have experienced this, and even upvoted GeniusHawlah's as Taras Mazurkevych's answers... But couldn't find anything in the Firebase setup related to the simulator that I did.
So it happened I was testing my firebase using a truncated JWT token, printed from Dart's debugPrintlimits truncates output). I was successful in using log from dart:developer!
I was enlightened by https://github.com/flutter/flutter/issues/22665#issuecomment-456858672.
0
I encountered a similar problem, figured out that by BE was pointing to the local emulator, but FE was pointing to the remote Firebase Auth (because of a bug in the code firebase.auth().useEmulator(...) wasn't called)
0
To verify the token on jwt.io, you need to grab one of the public keys from https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com (the "JWK URI", however, is https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com)
Use the kid from jwt.io to know which public key to use from the link above
Paste in the correct key (be sure to clear out any \n characters if they're there) and it should verify correctly:
Source: https://firebase.google.com/docs/auth/admin/verify-id-tokens