1

I am working with Firebase and using Facebook authentication which is great. The Auth object contains both the facebook token and the Firebase Auth token and I wish to use the FB token to authenticate to my own backend services without posting the token back to FB from the server in order to validate it. I was expecting that the token would be signed using my own Firebase secrets however this is not the case and I am wondering whether there is any way that I can validate the token that is sent from the Firebase App to my server. After poking around I suspect that there may be some kind of nested signing bit I can't seem to find any documentation to support this suspicion.

Any tips on approaching this appreciated.

NB - I can already generate my own tokens using the FB secrets, I can use those to authenticate the user to allow login through my server and then continue using the auth token to confirm the identity of the user posting back to my server and to FB. The problem is only when using the 3rd party auth tokens ( Facebook logins etc )

Peter Scott
  • 1,318
  • 12
  • 19

1 Answers1

0

I found an answer from another Stack Overflow question.

import urllib, json
from jose import jwt

idtoken = "<id token passed to server from firebase auth>"

target_audience = "<firebase app id>"

certificate_url = 'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com'

response = urllib.urlopen(certificate_url)
certs = response.read()
certs = json.loads(certs)

#will throw error if not valid
user = jwt.decode(idtoken, certs, algorithms='RS256', audience=target_audience)
print user

The 'secret' to be passed to jwt.decode() is the JSON dict of keys obtained from https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com

Community
  • 1
  • 1
Prince Odame
  • 534
  • 7
  • 17