Migrating Python backend from Gitkit to to Firebase-Auth with python-jose for token verification

Question

Over on GitHub a helpful Google dev told me that

to create a user session, your python backend server only needs a JWT library to verify the Firebase Auth token (signature and audience) in the request and extract the user info from the token payload.

I am having trouble with verifying the token.

This is where I'm at; In order to start the migration I proceeded as follows:

I added Firebase-Auth to the Android App, while still having Gitkit in the App until Firebase-Auth works. Now I have two sign-in buttons, one which signs in into Firebase and one for the "almost deprecated" Gitkit.
On firebase.com I imported the Google project into a new Firebase Project, so the user database is the same. I've already managed to use Firebase-Auth in the Android App, am able to log-in as a known user and I can successfully retrieve the token which I will need for my backend server by calling mFirebaseAuth.getCurrentUser().getToken(false).getResult().getToken(). It contains the same user_id as the GitKit token.

Now I'm attempting to replace the identity-toolkit-python-client library with python-jose. Since I'm currently not sending the Firebase token to the backend, but only the Gitkit token, I want to test this python-jose library on the Gitkit token.

On the backend, before calling GitKit.VerifyGitkitToken() i'm now printing out the results of jose.jwt.get_unverified_header() and jose.jwt.get_unverified_claims() in order to check if I get to see what I expect. The results are good, I am able to view the content of the Gitkit token just as expected.

My problem comes with the verification. I'm unable to use jose.jwt.decode() for verification because I don't know which key I need to use.

jose.jwt.decode(token, key, algorithms=None, options=None, audience=None, issuer=None, subject=None, access_token=None)

I know the algorithm from the header and an 'aud' field is also stored in the claims, if that is of any help.

Getting back to the engineers comment

verify the Firebase Auth token (signature and audience)

How do I do that with the info I have avaliable? I guess audience is the 'aud' field in the claims, but how do I check the signature?

Once I've removed the Gitkit dependency on the server, I will continue with the migration.

From what I've seen, the GitKit library apparently makes an "RPC" call to a Google server for verification, but I may be wrong.

So, which will be the key for Gitkit token verification as well as the one for the Firebase token verification?

I'm in a similar situation. You already saw this? https://firebase.google.com/docs/auth/server/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library — EdgarT, Aug 25 '16 at 22:31
Yeah, I already got it working. I just added the answer below. — Daniel F, Aug 25 '16 at 22:41

Daniel F · Accepted Answer · 2016-11-28T14:46:21.333

The keys can be obtained

for Firebase at https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com

and for Gitkit at https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys

Using Googles oauth2client library makes the verification very easy.

But if you want to use python-jose instead of oauth2client, then you first need to convert the PEM certificate into an RSA public key (update: this issue got fixed, for Firebase this is now handled by the library, scroll down to the end in the GitHub link preceding this comment. Not sure about Gitkit). This public key is then the key that needs to be used. And the audience should not be extracted from the JWT header, but hard coded into the source code, where in Firebase the audience is the project id and in Gitkit it is one of the OAuth 2.0 client IDs which can be found in the Google Developer Console Credentials section.

The kid in the JWT header is used to select the appropriate certificate which will be used to obtain the key used to perform the verification.

  # firebase
  # target_audience = "firebase-project-id"
  # certificate_url = 'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com'

  # gitkit
  target_audience = "123456789-abcdef.apps.googleusercontent.com" # (from developer console, OAuth 2.0 client IDs)
  certificate_url = 'https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys'

  response = urllib.urlopen(certificate_url)
  certs = response.read()
  certs = json.loads(certs)
  print "CERTS", certs
  print ''
  print ''

  # -------------- verify via oauth2client
  from oauth2client import crypt
  crypt.MAX_TOKEN_LIFETIME_SECS = 30 * 86400 # according to https://github.com/google/identity-toolkit-python-client/blob/master/identitytoolkit/gitkitclient.py
  print "VALID TOKEN", crypt.verify_signed_jwt_with_certs(idtoken, certs, target_audience)  
  print ''
  print ''

  # -------------- verify via python-jose
  from jose import jwt
  unverified_header = jwt.get_unverified_header(idtoken)
  print "UNVERIFIED HEADER", unverified_header
  print ''
  print ''
  unverified_claims = jwt.get_unverified_claims(idtoken)
  print "UNVERIFIED CLAIMS", unverified_claims
  print ''
  print ''
  from ssl import PEM_cert_to_DER_cert
  from Crypto.Util.asn1 import DerSequence
  pem = certs[unverified_header['kid']]
  der = PEM_cert_to_DER_cert(pem)
  cert = DerSequence()
  cert.decode(der)
  tbsCertificate = DerSequence()
  tbsCertificate.decode(cert[0])
  rsa_public_key = tbsCertificate[6]
  print "VALID TOKEN", jwt.decode(idtoken, rsa_public_key, algorithms=unverified_header['alg'], audience=target_audience)

This is the best answer I have seen about this so far, I am trying to use jose to verify a firebase id token. On the line `pem = certs[unverified_header['kid']]` I am getting a key error. the `kid` doesn't exist in the certificates from googleapis url... I can visually see that the `kid` from my idtoken isn't in list of 3 from that URL... — jeffery_the_wind, Nov 28 '16 at 14:17
The `kid` is in the JWT, not in the certificate. Am I understanding you right, that you are expecting the `kid` to be in the certificate? — Daniel F, Nov 28 '16 at 14:22
Oh, I see. It MAY be a loadbalancer issue, or you are mixing up Firebase's Endpoint with the Google-Sign in one? I think I was facing a similar problem, it may be related http://stackoverflow.com/questions/39281386/firebase-public-key-when-to-refresh ~ I'm re-fetching the certificate page when the `kid` isn't found in the list. — Daniel F, Nov 28 '16 at 14:24
I am getting the idtoken from the authenticated user in my browser, pasting in to a python script to figure this out. I can see the `kid` printed in the UNVERIFIED HEADER output from your script as well as in the jwt.io debugger. When when I open up the googleapis url, I see the json output there but my `kid` is not one of the certificate ids there. Reading that link you just posted... — jeffery_the_wind, Nov 28 '16 at 14:31
Are you still facing the issue? I just updated the answer to mention that the library got updated (some time ago) in order to handle the verification of Firebase tokens internally (I think only Firebase, not Gitkit). Maybe that could help you. — Daniel F, Nov 28 '16 at 14:48
Sorry last comment. Yes I was using the wrong idtoken returned from the firebase request, so I found the right one, and it passed the test using the simple code for jose version 1.3.1. I will remove my previous comments so they don't clutter this nice post. The working code is: `jwt.decode(idtoken, certs, algorithms='RS256', audience=target_audience)`, where `certs` is constructed using `json.loads` like in the answer. — jeffery_the_wind, Nov 28 '16 at 15:21

Migrating Python backend from Gitkit to to Firebase-Auth with python-jose for token verification

1 Answers1

Linked