Reputation: 1058
Security issue with verifying firebase token on server side?
I am using firebase mobile otp authentication. After successful authentication my android app receives a token which I have to verify on my django server. But while I was reading the docs of verifying this token, it comes out that if someone knows my firebase project-id, they can generate valid tokens anytime they want.
To get contec, look at the last method to verify firebase token at link
Isn't this quite risky, as once your firebase project id is known to someone, they can create fake tokens??
Also does custom authentication token help overcome this problem?
Thanks. Let me know if I have incorrectly understood the firebase token validation and it is not possible to create fake tokens once we know the firebase project-id.
Upvotes: 0
Views: 824
Answers (1)
Reputation: 7438
ID tokens are signed by a private key owned by Firebase Auth. They cannot be forged. Note that the doc you've referenced also states:
Finally, ensure that the ID token was signed by the private key corresponding to the token's kid claim. Grab the public key from https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com and use a JWT library to verify the signature.
A forged ID token will not pass the signature check.
Upvotes: 3
Related Questions
- Is using the firebase accessToken to identify users server side a secure method?
- Verifying ID tokens with Firebase Authentication
- Firebase Admin SDK : Verifying ID tokens from the REST API
- How to properly verify a token in Firebase Authentication
- Firebase Verify ID token strange behavior
- Firebase token verification on server
- Is it still possible to do server side verification of tokens in Firebase 3?
- Firebase authenticate as admin
- Using Firebase for server side authentication
- Verify clients Firebase token at node.js server