Firebase ID token has invalid signature
Hi all, I'm somehow new to NodeJS and I've only used Google Firebase a few times.
Now, I'm trying to verify an idToken generated using
getIdToken() method whenever a user signs up or signs in. The token generation works fine but if I try to use this token to authorize a user
admin.auth().verifyIdToken(idToken) on another route, I get this error Firebase ID token has invalid signature on Postman. I tried to verify the token on jwt.io as well, it gave error Invalid Signature.
I tried switching to different algorithms, some eventually made the token valid on jwt, but there is usually a VERIFY SIGNATURE box by the bottom-right which I don't really know what to fill there. Well, I've tried copying different newly generated valid tokens by jwt after changing algorithm, but I still get Firebase ID token has invalid signature from Postman.
Does anyone know what the problem may be? Please help.
For some reason, verifyIdToken function throws "Firebase ID token has invalid signature" each time for valid tokens when used in Firebase Emulator locally. I fixed this problem by starting using firebase hosted auth instead of emulator auth (remove auth property from firebase.json). Also, I reported the bug to Firebase.
The problem comes from the Firebase Emulator Auth. The Firebase-hosted Auth is unable to verify JWT token generated by the Firebase Emulator Auth.
log from dart:developer over
I was not using the emulator...
So it happened I was testing my firebase using a truncated JWT token, printed from Dart's
limits truncates output). I was successful in using
I was enlightened by https://github.com/flutter/flutter/issues/22665#issuecomment-456858672.
I encountered a similar problem, figured out that by BE was pointing to the local emulator, but FE was pointing to the remote Firebase Auth (because of a bug in the code
firebase.auth().useEmulator(...) wasn't called)
To verify the token on jwt.io, you need to grab one of the public keys from https://email@example.com (the "JWK URI", however, is https://firstname.lastname@example.org)
kid from jwt.io to know which public key to use from the link above
Paste in the correct key (be sure to clear out any
\n characters if they're there) and it should verify correctly: