Firebase ID token verification

Johannes S

Hey everyone,

I am currently trying to verify Firebase-generated ID token (my setup is: Firebase for auth, XANO as function & db backend).

Thus, I'm in the process of writing a function to verify a Firebase auth token within Xano (to then auth within Xano and make authenticated API calls) - for this, I am following the steps provided by Firebase (s. bottom part here: https://firebase.google.com/docs/auth/admin/verify-id-tokens)

While I get every step working, I am totally stuck on the bottom part:

Does anyone have a clue how this works?

I assume I need to use JWS or JWE Decode functions and somehow use one of these public keys provided here (https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com; the one matching my kid key id). However, I somehow do not get this set up. It always throws me a format error for the key...

Anyone having a clue?

Thanks!

Johannes

Johannes S

Okay I think I finally figured it out - so for everyone also looking into this:

Simply use these keys (the one corresponding to your kid): https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com

and use it in the same setup as on my screenshot, which looks something like this:

Ray Deck

Google ID Tokens are signed but not encoded. So you use the JWS functions not JWE to get the answers you are looking for.

What error are you getting, and for what inputs (e.g. for what key value, and for what JWT)? Use stop and debug (my favorite function) to surface that data.

Johannes S

Thanks for your answer @Ray Deck!

I am using the JWS decode function from XANOs Security functions.

As input I tried different things:

For token: tried both the full Google ID token and the 3. part (split by ".", the signature, as far as I understand).

For key: tried both the corresponding public key as a JSON (see screenshot) and the certificate string as a text (i.e. the value of the JSON on the screenshot but as a text value as input). For the JSON I get "Invalid key format" and for the string I get "Improper use of newline characters inside key."

Ray Deck

Congrats! JWK can be easier to work with in this situation because Xano thinks natively in JSON. (RSA works too, just can be fiddly)

pau

Just to confirm, I understand that this setup tries to validate and decode a Firebase token and not only to decode it, right?

Because there's not much information regarding the Xano JWS Decode function in the documentation, and I'm not sure how this setup does check for all the requirements for validation that are specified here:
https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library

I'm exploring the option to use Firebase Auth and Xano as the backend, but need to find a way to validate the Firebase tokens consistently.

Thanks!

Ray Deck

Yes, Xano can decode and validate a firebase ID token using the Google public keys.

We actually just did a whole round on this in the State Change Pro community with an "office hours extra" plus dedicated video output from it for the benefit of our members building in particular with Flutterflow and Xano, because firebase authentication is well-integrated in Flutterflow.

We work on the hardest 5% of problems in the Pro group, and many of them related to securely integrating between services. Cracking them in content, community and coaching office hours let us move past those sticky bits so we as builders can focus the main of our work on the value-added bits in the business logic and UX that make our apps special.

williamzm

Could i possibly get your help setting this up?

Ray Deck

Sure, come join us on State Change Pro where we have both recorded sessions where we worked this problem and office hours where we work hard topics like this together. I imagine we could get you sorted out relatively quickly.