I am considering to use firebase authentication for a new service.
As I understand it, when the user is authenticated, firebase generates an id token that can be verified on the server with one of the certificates published on https://www.googleapis.com/robot/v1/metadata/x509/securetoken#system.gserviceaccount.com.
If the verification is successful, I can trust the uid
But, I need to be able to prove how I obtained that session (and why it was trusted) at a later time, and I don't know how to do it
I could save the generated id token and the certificate that it was used, then show that the signature is valid (even if the token is expired). But the firebase certificates are self signed, so there is no way that I can prove that I didn't fake the whole process
This could be solved if there was a history or log of the expired certificates, but I could not find it
Is there a log of the certificates that I didn't see? Is it possible to do this in some other way?
Any help would be greatly appreciated
Related
In my application I have used aws cognito with next auth for user auth.
In the jwt callback that I have from api next-auth I receive an access token, which is then saved and sent to the client side. There, I save it in local storage and, among other things, I send it to my api which checks if it is correct.
The problem is that after an hour the access token expires and does not get a new one (always next-auth gives me old value). Has anyone had a similar flow and knows how to manage a session refresh? I will add that I am not automatically logged out because next-auth is managing it underneath, but it does not return the value of the new access token to me.
Do you have any ways how to manage this?
I can suggest a workaround that would take the least effort to solve this quickly. Amazon Cognito contains 3 kinds of tokens, the ID Token, Access Token and Refresh Token.
From the Amazon Cognito console, you can increase the validity of the token you're dealing with from there. A good idea is to refer to this answer.
Albeit you might need a couple of methods to assert security and robustness.
I am starting to learn about JWT and I was wondering if some one got a hold of both my id token and refresh token, could that someone access firestore or other firebase resources pretending to be me indefinitely(until the refresh token is revoked)?
If so, how does firebase prevent this from happening?
I can't help feeling that the if someone could get my id token, it's not that hard to access the refresh token as well.
All communication with Firebase APIs are over HTTPS, which means that no one can listen in on that communication. It is secure. If someone got both a fresh ID token and a refresh token, then could impersonate you when making calls to Firebase APIs.
However, no one can get your ID token or refresh token unless you make a security mistake. For example, leaving your computer unlocked while you're signed in would be a bad idea. Or, having a password that's easy to guess. Use all the standard security precautions, and you won't have a problem.
I am considering writing an app using firebase. As part of my app I need to execute code in a trusted environment (to prevent user tampering), hence a firebase function.
The firebase documentation specifies an https onCall function, which provides some user data, such as the username and password as well as the uid. Is this data trustworthy or could an unscrupulous user forge credentials?
I have found the answer to my question. In the protocol specification for https.onCall firebase state that they verify the user credentials (most importantly, the user's auth token). Any requests supplied without valid user credentials are rejected.
Okay so in my iOS app I log the user into firebase, then get the jwt token. So now I have my server with an api which accepts an idtoken in the header of the GET.
What do I do here? Certainly I wouldn't be validating the JWT againt firebase on every single API call right? I mean its fast, but that adds latency with a second external check, no? How does one simply just decode that guy in C#? I have an Auth0 layer already and that decodes the JWT with my server-stored secret, but that same code doesn't work for the Firebase token.
Could it just be decoded then extract the user details from that, maybe just check expiry and if expiry > X months it's still okay?
In order to verify Firebase ID tokens and JWTs in general, you only make a network call on your server to get the public certs which are usually not updated for several hours. You could cache that and try to verify with an ID token and if it fails, only then, load the new public certs.
And yes, you must verify the ID token on each call especially since Firebase ID tokens expire after typically an hour and need to be refreshed continuously.
I'm considering to use Firebase to perform identity verification. I am new to JWT, so my apologies if this is an obvious question, but I don't understand how the verification is actually done. It seems that FirebaseAuth.getInstance().verifyIdToken(idToken) works asynchronously, as the result is obtained via a listener. I understand that some certificates are used as described here, and that those certificates are rotated regularly. Does it mean that networking is required between my back-end server and Firebase server's each time I will call verifyIdToken()? Isn't it a problem ?
In order to verify Firebase ID tokens, the Firebase Auth public certs need to be retrieved (network request) and these are rotated on a regular basis. These are needed to ensure the Id token has not been tampered with. The JWT is first parsed, the algorithm to encrypt the token is checked to see if it matches the expected one, the signature is then verified using the public key obtained, finally the JWT claims are validated ensuring the token has not expired.