Firebase ID token has invalid signature even on jwt

Question

Firebase ID token has invalid signature

Hi all, I'm somehow new to NodeJS and I've only used Google Firebase a few times. Now, I'm trying to verify an idToken generated using getIdToken() method whenever a user signs up or signs in. The token generation works fine but if I try to use this token to authorize a user admin.auth().verifyIdToken(idToken) on another route, I get this error Firebase ID token has invalid signature on Postman. I tried to verify the token on jwt.io as well, it gave error Invalid Signature.

I tried switching to different algorithms, some eventually made the token valid on jwt, but there is usually a VERIFY SIGNATURE box by the bottom-right which I don't really know what to fill there. Well, I've tried copying different newly generated valid tokens by jwt after changing algorithm, but I still get Firebase ID token has invalid signature from Postman.

Does anyone know what the problem may be? Please help.

Answer 1

The problem comes from the Firebase Emulator Auth. The Firebase-hosted Auth is unable to verify JWT token generated by the Firebase Emulator Auth.

Answer 2

For some reason, verifyIdToken function throws "Firebase ID token has invalid signature" each time for valid tokens when used in Firebase Emulator locally. I fixed this problem by starting using firebase hosted auth instead of emulator auth (remove auth property from firebase.json). Also, I reported the bug to Firebase.

Answer 3

I agree with Genius Hawlah's answer, the problem is the Firebase Emulator Auth. As a workaround I suggest to start emulators without the Auth one with the --only flag, for example firebase emulators:start --only firestore,functions, and authenticate with a user you have in the production Authentication

Answer 4

TLDR;

Prefer log from dart:developer over print and debugPrint.

---

I was not using the emulator...

I'm new to Firebase and have experienced this, and even upvoted GeniusHawlah's as Taras Mazurkevych's answers... But couldn't find anything in the Firebase setup related to the simulator that I did.

So it happened I was testing my firebase using a truncated JWT token, printed from Dart's debugPrint (which limits truncates output). I was successful in using log from dart:developer!

I was enlightened by https://github.com/flutter/flutter/issues/22665#issuecomment-456858672.

Answer 5

I encountered a similar problem, figured out that by BE was pointing to the local emulator, but FE was pointing to the remote Firebase Auth (because of a bug in the code firebase.auth().useEmulator(...) wasn't called)

Answer 6

To verify the token on jwt.io, you need to grab one of the public keys from https://www.googleapis.com/robot/v1/metadata/x509/[email protected] (the "JWK URI", however, is https://www.googleapis.com/service_accounts/v1/jwk/[email protected])

Use the kid from jwt.io to know which public key to use from the link above

Paste in the correct key (be sure to clear out any \n characters if they're there) and it should verify correctly:

Source: https://firebase.google.com/docs/auth/admin/verify-id-tokens