0

With a regular Firebase auth ID token we can verify using the JWK URL of https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com

If you make a Session Cookie instead, where the issuer is https://session.firebase.google.com/, what URL is the JWK located at?

Arjun Yelamanchili
  • 577
  • 1
  • 3
  • 16

1 Answers1

1

The public certificates are here:

https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys

Each certificate is in PEM format. Extract the public key from the certificate and verify the signature after validating the JWT header and payload. The JWT header kid will tell you which certificate to use.

Google provides an API that you can call to fetch the JWK for a session cookie:

Method: getSessionCookiePublicKeys

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Thank you friend but I was hoping something was available in JWK form, I am using it with Hasura's JWT auth mode https://hasura.io/docs/latest/graphql/core/auth/authentication/jwt.html – Arjun Yelamanchili Feb 01 '22 at 14:09
  • @ArjunYelamanchili You can convert one format to the other. A public certificate is two prime numbers - n and e with extra wrapping. A JWK is two same two numbers plus descriptors. The important information is the same. To verify a signature, you only need the two prime numbers. Public certificates, public keys, and JWKs are just different ways of encoding the two prime numbers. – John Hanley Feb 01 '22 at 19:23
  • @ArjunYelamanchili - Your library supports public certificates. **You can also provide the key (certificate, PEM encoded public key) as a string - in the key field along with the type.** – John Hanley Feb 01 '22 at 20:05