问题描述
我有一个 PHP 后端和一个 Android 客户端.使用客户端,用户可以通过 Firebase 使用 Google 或 Facebook 登录我的应用程序.我从 FirebaseUser 获取令牌并将其发送到我的服务器.很简单,第一部分(header)包含算法(即 RS256),第二部分(payload)包含所有与用户相关的数据.第三部分是前两个的签名,用于在我的后端启用验证.问题是,我不知道该怎么做.更具体地说是什么.
I have a PHP backend and an Android client. With the client the users can log into my app using either Google or Facebook, both via Firebase. I get the token from the FirebaseUser and send it to my server. It is straightforward that the first section (the header) contains the algorithm (which is RS256) and the second one (the payload) has all the user related data. There's a third section which is the signature of the first two to enable verification on my backend. The problem is, I don't know how to do that. More specifically with what.
我使用 JWT.io 来检查我的令牌并尝试验证它,但没有成功.由于使用的算法是 RS256,所以验证应该通过公钥来完成.但是什么公钥?我用我的应用程序的密钥库试过,用谷歌的证书试过,但它只是一直说它是无效的.我知道 header 的 kid 字段是签名密钥的 ID,我应该查找它,但我不知道在哪里.
I used JWT.io to check my token and tried to verify it with no luck. Since the algorithm used is RS256, the verification should be done via the public key. But what public key? I tried with my app's keystore, tried it with Google's certs, but it just keeps saying it's invalid. I understand that the header's kid field is the signing key's ID and I should look for it, but I don't know where.
Firebase 文档也无济于事.有一个关于 ID 令牌验证 的指南,但这没用,因为它是 Java/Node.JS,它仍然没有说任何关于公钥的内容.
The Firebase docs don't help either. There is a guide about ID token verification, but that's just useless because it's Java / Node.JS and it still doesn't say anything about public keys.
所以问题是:我从哪里获得公钥?
推荐答案
好的,所以我挖了 Firebase Server SDK 的源码,找到了公钥的位置:https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com
Okay, so I dug into the source of the Firebase Server SDK and found the location of the public keys: https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com
真的不知道他们为什么不能把它放在他们的网站上......
Don't really know why they just couldn't put it on their website...
无论如何,我不确定,但我猜这些密钥每天都在变化(就像 OAuth2 密钥一样),因此您必须不时检查并重新缓存它们在您的服务器上.
Anyways, I'm not sure, but I guess that these keys change on a daily basis (just like the OAuth2 keys do), so you must check and re-cache them on your server every now and then.
此外,您必须检查以下值:
Also, you have to check the following values:
alg == "RS256"iss:https://securetoken.google.com/<firebaseProjectID>aud:<firebaseProjectID>sub非空
在 this similar question 找到这些(只需滚动到答案的底部),通过搜索特定的 googleapis.com URL 找到.
Found these at this similar question (just scroll to the bottom of the answer), which was found by searching for that specific googleapis.com URL.
这篇关于Firebase 令牌验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!