2

I am authenticating my users with Firebase, and using the token exchange API to retrieve a tapkey token.

The issue I am having is that the Firebase certificate to authenticate the token expires regularly, as explained on the Firebase website:

Finally, ensure that the ID token was signed by the private key corresponding to the token's kid claim. Grab the public key from https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com and use a JWT library to verify the signature. Use the value of max-age in the Cache-Control header of the response from that endpoint to know when to refresh the public keys.

The max age for the current Firebase certificates is 22963 seconds (as I am writing this, just over 6 hours) and the process to upload a new public key to Tapkey is a manual one.

I'm considering writing a script to download a new certificate when the old ones expires, and extract the public key. Does Tapkey have an API endpoint I could use to post my updated public key to, or is there another approach I can take here?

Thanks

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
JMK
  • 27,273
  • 52
  • 163
  • 280

1 Answers1

2

Currently there is no public api for updating a public key, but Tapkey is able to use a Firebase oidc discovery document url instead of public keys. If configured, Tapkey would automatically handle such key rollovers.

Firebase discovery document urls usually looks like https://securetoken.google.com/[firebase-project-id]/.well-known/openid-configuration.

However, this feature is not publicly available at this time. Send a request for activating the feature to Tapkey Support and they will enable it for you.

Harald
  • 465
  • 2
  • 8