Setting up firebase v3 custom auth with php

Question

I'm trying to set up custom auth with the new firebase sdk from google following those guidelines : https://firebase.google.com/docs/auth/server#use_a_jwt_library
In the samble code it says :

Get your service account's email address and private key from the JSON key file

Unfortunately I have not idea where to get this json file. If I go to my firebase console (https://console.firebase.google.com/) I manage to donwload a json file but it does not contain any email adress and private key.

I managed to find a json file that contains an email adress and a private key in my google cloud platform console (http://console.cloud.google.com) by goind into the "API Manager > Credentials" menu. Surprisingly my firebase app was showed there. I copy and pasted the email and key into the sample code, then I got this error :

Warning: openssl_sign(): supplied key param cannot be coerced into a private key in /volume1/web/yeti/vendor/firebase/php-jwt/src/JWT.php on line 183 Fatal error: Uncaught exception 'DomainException' with message 'OpenSSL unable to sign data' in /volume1/web/yeti/vendor/firebase/php-jwt/src/JWT.php:185 Stack trace: #0 /volume1/web/yeti/vendor/firebase/php-jwt/src/JWT.php(154): Firebase\JWT\JWT::sign('eyJ0eXAiOiJKV1Q...', NULL, 'RS256') #1 /volume1/web/yeti/jwt.php(21): Firebase\JWT\JWT::encode(Array, NULL, 'RS256') #2 /volume1/web/yeti/jwt.php(24): create_custom_token('1234', false) #3 {main} thrown in /volume1/web/yeti/vendor/firebase/php-jwt/src/JWT.php on line 185

Does someone has an idea of what I'm doing wrong ?

Thanks

A Firebase project is "just" a special type of Google Cloud Platform project, so your Firebase projects indeed are supposed to show up in the Google Cloud Platform console. On creating a service account, see the first paragraph in [this link](https://firebase.google.com/docs/database/server/start#server-sdk-authentication) — Frank van Puffelen, Jun 14 '16 at 01:32
Thanks for your answer. But still not working. Did what explained in the link. Still getting the same error. _( Warning: openssl_sign(): supplied key param cannot be coerced into a private key )_ — Jean-Philippe, Jun 14 '16 at 11:02

MyUserInStackOverflow · Answer 1 · 2016-06-24T06:58:15.577

Did you find the solution ? Still experiencing the same issue ! Works with HS256 and doesn't with RS256. Is it google cloud kind of limitation ?

Thank you so much ! @dbburgess

Problem: Was using the wrong key and email. These should be generated in the Google Cloud credentials section that corresponds to the Firebase project.

Solution:

Go to 'console.cloud.google.com'.
Select the related Firebase project.
Then 'API Manager' -> 'Credentials'.
'Create Credentials' -> 'Service Account Key' -> Choose JSON.
The created file will contain the needed 'private_key' & 'client_email'.

Fill the values:

$service_account_email = "autogeneratedemail@developer.gserviceaccount.com"; $private_key = "-----BEGIN PRIVATE KEY-----\nSoneVeryVeryLongKey=\n-----END PRIVATE KEY-----\n"; $uid = 'UserToUseInFirebaseRules'; $is_premium_account = $uid;

You shouldn't need to change anything in the "create_custom_token" function, maybe the expiration date/time according to your needs.

Then call the function:

create_custom_token($uid, $is_premium_account);

What function is create_custom_token? – user2722667 Sep 14 '16 at 15:45 — user2722667, Sep 14 '16 at 15:45
That's taken from the documentation. – MyUserInStackOverflow Dec 13 '16 at 18:21 — MyUserInStackOverflow, Dec 13 '16 at 18:21

score 5 · Answer 2 · answered Jun 23 '16 at 21:51

This is what I'm doing, and it works fine. What you provide in the claims array is what shows up on auth in the security rules. The email and key come from the json file you get when you create a service account (see: Before you begin section).

$userId = '1234';
$email = 'sample@email.com';
$key = 'giant_key_goes_here';

$payload = [
    'iss' => $email,
    'sub' => $email,
    'aud' => 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit',
    'iat' => time(),
    'exp' => time() + 60 * 60,
    'uid' => $userId,
    'claims' => [
        'uid' => $userId,
    ],
];

$token = JWT::encode($payload, $key, 'RS256');

It's worth noting, the format on the keys is a little tricky...Your key will look something like this (just an example key):

You may need to do a little fancy formatting, this is essentially what I did:

$key = "-----BEGIN PRIVATE KEY-----\nMIICXAIBAAKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUp\nwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ5\n1s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQABAoGAFijko56+qGyN8M0RVyaRAXz++xTqHBLh\n3tx4VgMtrQ+WEgCjhoTwo23KMBAuJGSYnRmoBZM3lMfTKevIkAidPExvYCdm5dYq3XToLkkLv5L2\npIIVOFMDG+KESnAFV7l2c+cnzRMW0+b6f8mR1CJzZuxVLL6Q02fvLi55/mbSYxECQQDeAw6fiIQX\nGukBI4eMZZt4nscy2o12KyYner3VpoeE+Np2q+Z3pvAMd/aNzQ/W9WaI+NRfcxUJrmfPwIGm63il\nAkEAxCL5HQb2bQr4ByorcMWm/hEP2MZzROV73yF41hPsRC9m66KrheO9HPTJuo3/9s5p+sqGxOlF\nL0NDt4SkosjgGwJAFklyR1uZ/wPJjj611cdBcztlPdqoxssQGnh85BzCj/u3WqBpE2vjvyyvyI5k\nX6zk7S0ljKtt2jny2+00VsBerQJBAJGC1Mg5Oydo5NwD6BiROrPxGo2bpTbu/fhrT8ebHkTz2epl\nU9VQQSQzY1oZMVX8i1m5WUTLPz2yLJIBQVdXqhMCQBGoiuSoSjafUhV7i1cEGpb88h5NBYZzWXGZ\n37sJ5QsW+sJyoNde3xH8vdXhzU7eT82D6X/scw9RZz+/6rCJ4p0=\n-----END PRIVATE KEY-----\n";

Note the line breaks are turned into \n, and it is all smushed onto one line. There are various ways of accomplishing it, but...Based on the error you got, something like this may be the problem.

hello @dbburgess can you help how to change private key into a single line string? thanks — IIM NUR DIANSYAH, Oct 01 '19 at 09:44

Jean-Philippe · Answer 3 · 2016-06-15T10:39:25.767

4

Found my self what was wrong ! The sample php code from the documentation is buggy. Instead of

return JWT::encode($payload, $private_key, "RS256");

use

return JWT::encode($payload, $private_key, "HS256");

Edit :
Actually, it was just the sample php code from google firebase doc that was completely buggy. it was passing an empty key to php-jwt. Looks like they updated it today and it's working fine :)

edited Jun 15 '16 at 10:39

answered Jun 14 '16 at 12:51

Jean-Philippe

241
2
4
11

Great to hear that you found the problem and thanks for reporting back! I'll add a note that we need to update the documentation. – Frank van Puffelen Jun 14 '16 at 13:24
There is also a syntax error in the sample php code in this line : `"claims" => array( "premium_account" => $is_premium_account ); ` the ; should be removed – Jean-Philippe Jun 14 '16 at 14:41
3

This token will absolutely not validate. Google only uses RS256 JWTs. – foxxtrot Jun 14 '16 at 16:43
Looks like your are right. Now i get this exception _com.google.firebase.auth.FirebaseAuthInvalidCredentialsException: The custom token format is incorrect. Please check the documentation._ when implementing `mAuth.signInWithCustomToken(result) .addOnCompleteListener(YetieActivity.this, new OnCompleteListener() { ...` – Jean-Philippe Jun 15 '16 at 02:02

score 1 · Answer 4 · answered Aug 12 '20 at 18:37

I was having the same problem. After reading @Jean-Philippe answer I was able to generate the token using HS256 instead of RS256. But this was resulting in an invalid token every time even after changing credentials.

Using jwt.io to debbug it, everything was correct but still getting invalid token from firebase.auth().signInWithCustomToken(token).catch(function (error) {}.

After searching in github I found this issue. So I used double quotes instead of single quotes in $private and it worked with RS256.

require_once('../vendor/autoload.php');
use \Firebase\JWT\JWT;

$service_account_email = env('ACCOUNT_EMAIL');
$private_key = env('ACCOUNT_SECRET');

class generateToken
{
    public static function generateNewToken($mysqli, $userID, $email)
    {
        global $service_account_email, $private_key;

        $name = '';
        $lastname = '';
        $hostOption = '';
        $now_seconds = time();

        $selectUserData = "SELECT username, lastname, hostOption FROM signup WHERE id = ? ";
        $stmt = $mysqli->prepare($selectUserData);
        $stmt->bind_param('i', $userID);
        $stmt->execute();
        $stmt->store_result();
        $stmt->bind_result($name, $lastname, $hostOption);
        $stmt->fetch();

        $payload = array(
            "iss" => $service_account_email,
            "sub" => $service_account_email,
            "aud" => "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
            "iat" => $now_seconds,
            "exp" => $now_seconds + (60 * 60),  // Maximum expiration time is one hour
            "uid" => strval($userID),
            "claims" => array(
                "username" => $name,
                "lastname" => $lastname,
                "email" => $email,
                "hostOption" => $hostOption,
            )
        );

        return JWT::encode($payload, $private_key, 'RS256');
    }
}

env.php:

$vars = [
    'ACCOUNT_EMAIL' => "admin@myproject.iam.gserviceaccount.com",
    'ACCOUNT_SECRET' => "-----BEGIN PRIVATE KEY-----\nVERYLONGKEY=\n-----END PRIVATE KEY-----\n"
];

foreach($vars as $key => $value){
    putenv("$key=$value");
}

lindelius commented on 7 Aug 2018 • 
The reason is because the key contains new-line characters (\n) which are incorrectly handled when used within single-quotes, i.e. they are treated as the characters "\n" rather than actual new lines.

score -1 · Answer 5 · answered Aug 30 '16 at 14:56

-1

instead of

$key = 'giant_key_goes_here';
token = JWT::encode($payload, $key, 'RS256');

use

define("FIREBASE_PRIVATE_KEY","giant_key_goes_here");
token = JWT::encode($payload, FIREBASE_PRIVATE_KEY, 'RS256');

answered Aug 30 '16 at 14:56

Essam Elmasry

1,212
11
11

can you explain your reasoning? how does that produce anything different? – KFE Sep 27 '16 at 21:39
I am no php expert, only sharing how I managed to solve a similar issue to the OP. – Essam Elmasry Sep 29 '16 at 09:34

Setting up firebase v3 custom auth with php

5 Answers5

Linked