token verification efficiency

[arek he]

My backend is using Firebase tokens to authorize the requests from a mobile client. Need to know how efficient is token verification as it is used to authorize each and every request.

Does token verification send any requests to Firebase servers or is it done offline?
Are the certs needed for verification stored locally (Admin SDK) or downloaded?

What is actually done under the hood to verify the token with this code:

FirebaseToken decodedToken = FirebaseAuth.getInstance().verifyIdTokenAsync(idToken).get();

Appreciate any info on this.

--Arek

[Hiranya Jayathilaka]

Hi Arek,

The first invocation of this method will download the public key certificates, and cache them in memory. As a result subsequent calls will get executed as local operations. The SDK uses the HTTP Cache-Control header sent by the backend server to control cache invalidation. 

Overall this is a pretty fast operation. The network overhead gets amortized over many calls. See implementation for more details.

Thanks,

Hiranya

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/62cb704a-3bd0-449b-b847-00b40973838a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Hiranya Jayathilaka | Software Engineer | h...@google.com | 650-203-0128