Reputation: 587
What is the Firebase Auth Session Cookie JWK URL?
With a regular Firebase auth ID token we can verify using the JWK URL of https://www.googleapis.com/service_accounts/v1/jwk/[email protected]
If you make a Session Cookie instead, where the issuer is https://session.firebase.google.com/, what URL is the JWK located at?
Upvotes: 0
Views: 905
Answers (1)
Reputation: 81454
The public certificates are here:
https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys
Each certificate is in PEM format. Extract the public key from the certificate and verify the signature after validating the JWT header and payload. The JWT header kid will tell you which certificate to use.
Google provides an API that you can call to fetch the JWK for a session cookie:
Method: getSessionCookiePublicKeys
Upvotes: 1
Related Questions
- Obtaining/using Firebase JWT
- Where do you get/find the JWT-Secret from firebase?
- Firebase Authentication with Google Identity (GoogleYOLO)
- Please teach me uid of Firebase Authentication
- Where are the Firebase server locations?
- Google Firebase authentication: What is the server Client's ID that's passed requestIdToken
- Firebase authentication: how to create session cookie with additional info?
- Firebase: Authentication using Google, Where must I obtain the id_token?
- Firebase JS Authentication cookies
- Secret URL authentication with Firebase