Quarkus and Firebase Authentication

Question

I'm developing a new REST Service using Quarkus (1.3.2.Final) and I'm trying to integrate Firebase Authentication with Smallrye-Jwt but it failed.

My first try was to point publickey.location to Google's URL and it failed because there are two keys and the correct publicKey to check signature depends on jwt "kid" header value:

mp.jwt.verify.publickey.location=https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com
mp.jwt.verify.issuer=https://securetoken.google.com/<projectId>
quarkus.smallrye-jwt.auth-mechanism=MP-JWT
quarkus.smallrye-jwt.enabled=true

My second try was create a service (Kind of "PublicKeyResolver") to request google's url and extract the correct public key based on "kid" claim value:

mp.jwt.verify.publickey.location=http://localhost:8080/api/certs/publicKey

That strategy failed because "Authorization" http header is not included in request for publicKey.

There is a way to integrate Quarkus and Firebase Authentication?

Answer 1

There is a way for Quarkus-Firebase integration. According to Quarkus documentation mp.jwt.verify.publickey.location is a location of Public Key. Moreover, supported public keys formats are defined as well (https://quarkus.io/guides/security-jwt#supported-public-key-formats):

Public Keys may be formatted in any of the following formats, specified in order of precedence:

• Public Key Cryptography Standards #8 (PKCS#8) PEM
• JSON Web Key (JWK)
• JSON Web Key Set (JWKS)
• JSON Web Key (JWK) Base64 URL encoded
• JSON Web Key Set (JWKS) Base64 URL encoded

So you shall be aiming at specifying URL that contains Public Keys formatted as JWKS (as there is no way for Smallrye-Jwt to accept set of PKCS#8 PEMs). The "Google URL" you are trying to use, is not rfc7517 compliant JWK Set.

In order to make it work, you shall use this Google JWKS URL that is compliant with rfc7517:

mp.jwt.verify.publickey.location=https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com