'ASP.NET Core validate Firebase Auth emulator JWT
I'm trying to validate a JWT issued by the Firebase Auth emulator. The following code snippet is working fine for production apps, but I can't figure out how to modify it so it also works with the Firebase Auth emulator.
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
options.Authority = "https://securetoken.google.com/<project id>";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = "https://securetoken.google.com/<project id>",
ValidateAudience = true,
ValidAudience = "<project id>",
ValidateLifetime = true
};
});
I tried the following options:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
options.RequireHttpsMetadata = false;
options.Authority = "http://localhost:9099";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = "[email protected]",
ValidateAudience = true,
ValidAudience = "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
ValidateLifetime = true,
};
});
But I keep running into the following error:
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[3]
[dotnet-start] Exception occurred while processing message.
[dotnet-start] System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
[dotnet-start] ---> System.IO.IOException: IDX20807: Unable to retrieve document from: 'System.String'. HttpResponseMessage: 'System.Net.Http.HttpResponseMessage', HttpResponseMessage.Content: 'System.String'.
[dotnet-start] at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
[dotnet-start] at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
[dotnet-start] at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
I believe that the issuer and audience options are correct but I can't find the correct value for the authority option. Does anyone know the correct options to make this work with the Firebase Auth emulator?
Solution 1:[1]
I think I ran into similar error as described here.
I solved it by following this implementation for the service configuration. Seems to be working now without problems.
Let me know if it works for you too, or you were able to solve it in some other way.
Solution 2:[2]
I too tried various combinations of settings resulting in both the OP's error and just plain ol' HTTP-401's.
For me, it turns out the trick was realizing that the Firebase emulator doesn't sign the token (and sets the alg
header value to none
). This means I just needed to set TokenValidationParameters.RequireSignedTokens
to false
, after which it worked.
The following code is what I ended up with (using a flag in my settings to control the use of the emulator):
services.AddAuthorization()
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options => {
options.Authority = _AuthenticationSettings.Authority; // Set to "https://securetoken.google.com/demo-project/"
options.Audience = _AuthenticationSettings.Audience; // Set to "demo-project"
var validationParams = options.TokenValidationParameters;
validationParams.ValidIssuer = options.Authority;
validationParams.ValidateIssuer = true;
if (_AuthenticationSettings.UseEmulators) {
validationParams.RequireSignedTokens = false;
}
});
As an aside, note that prefixing the project name with "demo-" tells the Firebase SDK that it is a local, emulated project and removes the need to create a project within your Firebase console (great for avoiding conflicts between developer-specific test data).
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | Svaeng |
Solution 2 | David G |