I have a couple of mobile applications that use firebase authentication and upon auth success they can ask for a jwt token from firebase.
The app calls an api for various tasks other than auth. I want the app to pass the token into the api endpoint calls via the header so that api can validate it is an authenticated user.
The token expiry is to be ignored, only the issuer and audience must be validated.
The api is developed using python flask. I see 2 options for firebase jwt token auth:
Firebase sdk:
def check_token(f): @wraps(f) def wrap(*args,**kwargs): if not request.headers.get('authorization'): return {'message': 'No token provided'},400 try: user = auth.verify_id_token(request.headers['authorization']) request.user = user except: return {'message':'Invalid token provided.'},400 return f(*args, **kwargs) return wrapCustom code (pseudocode): Same Decorator as above but rather than using sdk, and since firebase jwt uses RSA, I will fetch the Google public key from online. Then use library like pyjwt to decode the token. If decode is not successfull then abort. Example code from this link is pasted below: https://stackoverflow.com/a/69323655/1779091
Code-
import jwt
import requests
from cryptography.hazmat.backends import default_backend
from cryptography import x509
def check_token(token):
n_decoded = jwt.get_unverified_header(token)
kid_claim = n_decoded["kid"]
response = requests.get("https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com")
x509_key = response.json()[kid_claim]
key = x509.load_pem_x509_certificate(x509_key.encode('utf-8'), backend=default_backend())
public_key = key.public_key()
decoded_token = jwt.decode(token, public_key, ["RS256"], options=None, audience="<FIREBASE_PROJECT_ID>")
print(f"Decoded token : {decoded_token}")
check_token("FIREBASE_ID_TOKEN")
