Firebase: Failed to verify the signature of Firebase ID token
My God... the logger that I used in dart decided to just cap the jwt string so the jwt was incomplete.
Now I get a message 'forbidden' happy joy. But the previous error has been resolved.
Edit 'Forbidden' was consequence of a minor Spring Boot issue (adding roles to authorities).
It now works as expected.
html_programmer
Java consultant. Passionate about web development in general and always experimenting with common software tech in my private time.
Updated on November 28, 2022Comments
-
html_programmer over 1 year
When I try to verify the Firebase jwt token in my Spring Boot backend application, I get the following error:
Failed to verify the signature of Firebase ID token. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.
In the client (Flutter) I log the jwt as follows:
GoogleSignInAccount googleSignInAccount = await _googleSignIn.signIn(); GoogleSignInAuthentication googleSignInAuthentication = await googleSignInAccount.authentication; AuthCredential credential = GoogleAuthProvider.credential( accessToken: googleSignInAuthentication.accessToken, idToken: googleSignInAuthentication.idToken, ); UserCredential authResult = await _auth.signInWithCredential(credential); _user = authResult.user; logger.i(await _user.getIdToken()); // Print jwt
I send the jwt that gets logged to my backend through the Authorization header as a bearer token.
Using Spring security (it doesn't matter), I just perform the following check:
FirebaseToken decoded = FirebaseAuth.getInstance().verifyIdToken(token);
My firebase app init config is pretty standard (env variable pointing to config.json is set):
@Primary @Bean public void firebaseInit() throws IOException { FirebaseOptions options = FirebaseOptions.builder() .setCredentials(GoogleCredentials.getApplicationDefault()) .build(); if (FirebaseApp.getApps().isEmpty()) { FirebaseApp.initializeApp(options); } }
After debugging, following method throws in class RSASignature (package package sun.security.rsa):
@Override protected boolean engineVerify(byte[] sigBytes) throws SignatureException { if (publicKey == null) { throw new SignatureException("Missing public key"); } try { if (sigBytes.length != RSACore.getByteLength(publicKey)) { throw new SignatureException("Signature length not correct: got " + sigBytes.length + " but was expecting " + RSACore.getByteLength(publicKey)); }
sigBytes length is 113, whereas it expects to be 256.
Perhaps I'm doing something wrong though... -
Aegletes about 2 yearsoh my god. thank you, I have no words.