10

I'm trying to verify and decode id token sent by front-end. I get this error when i run the verifyfunction. Sometimes it might work.

No pem found for envelope: {"alg":"RS256","kid":"53c666482db3800c83c63","typ":"JWT"}

This is my code

        const ticket = await client.verifyIdToken({
        idToken: token,
        audience: '804312674051-5o4.apps.googleusercontent.com',
    });
    const payload = ticket.getPayload();
Kunal Shukla
  • 311
  • 5
  • 10
  • Curious if you were able to get past this error? I'm seeing it as well. – Donato Perconti Feb 04 '21 at 20:03
  • This one works as a solution: https://stackoverflow.com/a/61937783/2451044 – wolframhempel Oct 22 '21 at 13:36
  • It's an incredibly generic error, the token being sent in could be malformed in many, many ways. I found that the token I was sending in was just not a token at all, but something entirely different. It probably does suggest that it's catastrophically wrong though, rather than it expiring or the like... – Matt Fletcher Nov 19 '21 at 18:49

3 Answers3

2

I finally found the answer today. The Firebase tool will connect the native Google to the third-party login token, and then encapsulate another layer. The token obtained at this time is no longer the original token given to us by Google.

  • A1:
    • Original Token: GoogleDesignInAccount Account = Task.getResult(ApiException.class);
    • Account.getidToken () // This is the original token
  • B1:
    • Firebase token: FireBaseUser currentUser = Mauth.getCurrentUser ();
    • String token = currentUser.getIdToken(false).getResult().getToken();
  • A2:
    • Google officially provides a method to verify the token
  • B2:
    • Firebase officially provides the authentication token method

We use code names for the four data points above. If you need to verify the validity of tokens in the background, they must correspond to each other, A1 to A2 and B1 to B2. If you use A2 to validate the B1, it will fail

xuesong zhu
  • 29
  • 4
0

I got the same problem....using a idToken that I got from my firebase login at my reactJS app.

I found that in the google src files

if (!certs.hasOwnProperty(envelope.kid)) {
    // If this is not present, then there's no reason to attempt verification
    throw new Error('No pem found for envelope: ' + JSON.stringify(envelope));
  }

But I have no idea what that means.

MarkusJackson
  • 225
  • 2
  • 12
-1

The problem is the token used.

you can use this example for generate the token, only change the content="YOUR_CLIENT_ID.apps.googleusercontent.com" for a valid cliente id google

Test with the generated token in console.log

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="google-signin-client_id" content="YOUR_CLIENT_ID.apps.googleusercontent.com">
    <title>Demo Sing-In</title>
</head>
<body>
    <h1>Google Sing-In</h1>
    <div class="g-signin2" data-onsuccess="onSignIn"></div>
    <a href="#" onclick="signOut();">Sign out</a>
    <script src="https://apis.google.com/js/platform.js" async defer></script>
    <script>
        function onSignIn(googleUser) {
            var profile = googleUser.getBasicProfile();
            console.log('ID: ' + profile.getId()); // Do not send to your backend! Use an ID token instead.
            console.log('Name: ' + profile.getName());
            console.log('Image URL: ' + profile.getImageUrl());
            console.log('Email: ' + profile.getEmail()); // This is null if the 'email' scope is not present.
            var id_token = googleUser.getAuthResponse().id_token;
            console.log(id_token);
        }

        function signOut() {
            var auth2 = gapi.auth2.getAuthInstance();
            auth2.signOut().then(function () {
            console.log('User signed out.');
            });
        }
    </script>
</body>
</html>
Robert D. Garcia
  • 1
  • 1