Verifying Firebase ID Token with Joken

I’ve set up Firebase for frontend authentication and I am sending the ID token, which is a JWT, to my phoenix backend.

I am now stuck trying to verify the JWT.

Google instructions regarding the matter are here. TLDR: Grab the public accessible certificate and use it to verify the JWT signature was signed with the correct private key.

I have this so far

def verify(token) do
  {:ok, resp} = HTTPoison.get(@cert_url)
  %{body: body} = resp
  body = Poison.Parser.parse!(body, %{})
  {:ok, header} = Joken.peek_header(token)
  cert = body[header["kid"]]
end

I’m lost there. Do I need to convert the public certificate to a public key? How do I create a Joken.Signer with RS256 signing algorithm and the public certificate?

Thank you!

1 Like

I found the JOSE library :grin:

To finish up the code…

def verify(token) do
  {:ok, resp} = HTTPoison.get(@cert_url)
  %{body: body} = resp
  certs = Poison.Parser.parse!(body, %{})
  {:ok, header} = Joken.peek_header(token)
  jwks = JOSE.JWK.from_firebase(certs)
  jwk = jwks[header["kid"]] |> JOSE.JWK.to_map |> elem(1)
  {true, jose_jwt, _} = JOSE.JWT.verify(jwk, token)
  fields = JOSE.JWT.to_map(jose_jwt) |> elem(1)
  {:ok, fields}
end

Elixir code can probably be cleaned up :sweat_smile:

1 Like