问题
We are starting the development of a web app and were thinking of using Firebase Authentication to handle our sign up flow. However, we are unsure about how the ID token verification works. It seems possible to verify a user with its token outside the Firebase realm. We are thinking of having a Node.js app on Google Kubernetes Engine – as far as I know, it does not integrate with Firebase Authentication.
Firebase provides this example on how to verify ID tokens using the Firebase Admin SDK:
// idToken comes from the client app (shown above)
admin.auth().verifyIdToken(idToken)
.then(function(decodedToken) {
var uid = decodedToken.uid;
// ...
}).catch(function(error) {
// Handle error
});
My question is whether or not Firebase has to make a call to its servers in order to verify the ID token on each user request – which would add a delay –, or if it caches the cryptographic keys required to verify the token for a long time – that's how I assume it works.
回答1:
When you call verifyIdToken
, the Admin SDK decodes the token with the public key and verifies that the signature is valid. It downloads this key from Google's servers, but it's cached for 24 hours (since it hardly ever changes). After verifying the token, it checks whether the token was revoked, which requires another call to the Firebase Authentication servers. This request happens for each call to verifyIdToken
.
You can check this against the source code.
- verifyIdToken
- fetchPublicKeys
- verifyJWT
- verifyDecodedJWTNotRevoked
回答2:
I have a similar use case where I'm trying to use Firebase authentication in my app. Does the idToken need to be passed in with every request once the user is logged in (and then correspondingly verified by the backend on every request)?
EDIT: looks like Hiranya answered the question here: Firebase Token Authentication using Django
来源:https://stackoverflow.com/questions/54518082/verifying-id-tokens-with-firebase-authentication