Verifying Firebase ID Token with Joken

adao · October 13, 2019, 10:07am

I’ve set up Firebase for frontend authentication and I am sending the ID token, which is a JWT, to my phoenix backend.

I am now stuck trying to verify the JWT.

Google instructions regarding the matter are here. TLDR: Grab the public accessible certificate and use it to verify the JWT signature was signed with the correct private key.

I have this so far

def verify(token) do
  {:ok, resp} = HTTPoison.get(@cert_url)
  %{body: body} = resp
  body = Poison.Parser.parse!(body, %{})
  {:ok, header} = Joken.peek_header(token)
  cert = body[header["kid"]]
end

I’m lost there. Do I need to convert the public certificate to a public key? How do I create a Joken.Signer with RS256 signing algorithm and the public certificate?

Thank you!

adao · October 15, 2019, 6:39am

I found the JOSE library

To finish up the code…

def verify(token) do
  {:ok, resp} = HTTPoison.get(@cert_url)
  %{body: body} = resp
  certs = Poison.Parser.parse!(body, %{})
  {:ok, header} = Joken.peek_header(token)
  jwks = JOSE.JWK.from_firebase(certs)
  jwk = jwks[header["kid"]] |> JOSE.JWK.to_map |> elem(1)
  {true, jose_jwt, _} = JOSE.JWT.verify(jwk, token)
  fields = JOSE.JWT.to_map(jose_jwt) |> elem(1)
  {:ok, fields}
end

Elixir code can probably be cleaned up

1guzzy · October 27, 2023, 4:54pm

Thanks for the code. I cleaned it up a bit for the next guy.

def verify(token) do
    with {:ok, jwk} <- get_jwk(token),
         {true, jose_jwt, _} = JOSE.JWT.verify(jwk, token),
         {_, claims} <- JOSE.JWT.to_map(jose_jwt) do
      {:ok, claims}
    end
  end

  def get_jwk(token) do
    with {:ok, %{body: body}} <- HTTPoison.get(@cert_url),
         {:ok, certs} <- Jason.decode(body),
         {:ok, header} <- Joken.peek_header(token) do
      jwk =
        certs
        |> JOSE.JWK.from_firebase()
        |> Map.get(header["kid"])
        |> JOSE.JWK.to_map()
        |> elem(1)

      {:ok, jwk}
    end
  end