Cannot verifyIdToken after a Google Authentication

[Timothy Washington]

I'm trying (and failing) to use Firebase's Google authentication. 

So in my HTML, I've initialized the app with this code.

<script src="https://www.gstatic.com/firebasejs/3.4.0/firebase.js"></script>
<script>
  // Initialize Firebase
  var config = {
    apiKey: "<my-api-key>",
    authDomain: "<my-domain>.firebaseapp.com",
    databaseURL: "https://<my-domain>.firebaseio.com",
    storageBucket: "<my-domain>.appspot.com",
    messagingSenderId: "<my-sender-id>"
  };
  firebase.initializeApp(config);
</script>

And in my Java server code, I've initialized the SDK as instructed here. Handler code is something like this. 

Task<FirebaseToken> authTask = FirebaseAuth.getInstance().verifyIdToken(idToken)
.addOnSuccessListener(new OnSuccessListener() {
        @Override
        public void onSuccess(Object tr) {//do smtg }
    }).addOnFailureListener(new OnFailureListener() {
        @Override
        public void onFailure(Exception excptn) {//do smtg }
    }).addOnCompleteListener(new OnCompleteListener() {
        @Override
        public void onComplete(Task task) {//do smtg }
    });
    try {
        Tasks.await(authTask);
    } catch(ExecutionException | InterruptedException e ){
        //handle error
    }
    FirebaseToken decodedToken = authTask.getResult();

And right now, when calling my verifyIdToken, I get this com.google.firebase.auth.FirebaseAuthException: Token is not for this app. 

Now, in my Firebase Console, I've definitely created my Project. But there's no explicit dashboard way of creating my App / Application. Firebase's console just instructs me to use the above Javascript to initialize my app, locally. 

[Jacob Wenger]

Hey Timothy,

Can you explain a little bit more about your setup and what you are trying to do? I'm a bit confused how you switch from explaining how you are initializing the web SDK to how you are authenticating a token on your Java server. This is a bit of an XY problem

In general, you authenticate the web SDK by passing the config you have posted and then signing a user in anonymously, via an email / password combination, or an OAuth provider. And you authenticate the Java server SDK by passing a config which contains a service account. You should only need to use verifyIdToken() if you are trying to verify users on your server (read the intro to this doc for some use cases). And you only really need a server process at all if you cannot accomplish what you need from the client SDK.

Your question is a bit of an XY problem. If you explain your use case and what you are trying to accomplish, we can offer some more concrete advice for you and get things sorted out.

Cheers,

Jacob

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/9ff78229-61d7-46ac-b4e1-d002bec79b6c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Timothy Washington]

Hey Jacob,

Of course, sorry for the vagueness.

I want to use Firebase’s Authentication component (https://firebase.google.com/docs/auth/), to allow users to login using their accounts from Google, Github, Twitter, etc.

I have a simple daemon, serving up:

A) HTML, with:

  i) the firebase app initialization as I noted in my last post, and
  ii) firebaseui.auth initialization with

    { signInOptions : [firebase.auth.GoogleAuthProvider.PROVIDER_ID],
      callbacks : signInSuccess function (currentUser credential redirectUrl) {...}
    }

    var ui = new firebaseui.auth.AuthUI(firebase.auth())
    ui.start(“#my-auth-container”)

B) Java (on the Server) with:

  iii) Firebase app initialization

    options = new FirebaseOptions.Builder()
    options.setServiceAccount(new FileInputStream(“<my-private-key.json>”))
    FirebaseApp.initializeApp(options.build())

  iv) Then I try to call .verifyIdToken, with the callback handlers as noted in my last post.


i) Firebaseui auth component correctly i) renders and ii) calls out to the Google Identity Provider.

ii) On “signInSuccess”, I send the idToken (in the “credential” callback argument) to the server, for token verification.

iii) The server’s call to “verifyIdToken” (using the supplied idToken), is what fires that OnFailureListener.onFailure event, with the message: com.google.firebase.auth.FirebaseAuthException: Token is not for this app.

iv) And again, in my Firebase Console, I've definitely created my Project. But there's no explicit dashboard way of creating my App / Application. Firebase's console just instructs me to use the above Javascript to initialize my app, locally.

Does this make sense? Are you saying I dont even need to do "verifyIdToken" i this case? I can try to outline anything else that’s missing.

Thanks
Tim

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

[Javier Martín]

You should check this link https://firebase.google.com/docs/auth/server/verify-id-tokens#retrieve_id_tokens_on_clients in order to get the right token, because when using the token provided after sign in is not valid to be verified by the server, that was the mistake we made.

[Jacob Wenger]

Hey Timothy,

I'm still missing where your Java server fits into all of this. Can you take me a step all the way back to what exactly you are building, not what code you are using. It looks like you have a web front-end which uses FirebaseUI-web to authenticate a user. I assume you then want to access some data from either the Firebase Realtime Database or Firebase Storage, right? If that is the case, you should just use the web client to do so and don't need a server at all (that is part of the magic of Firebase). If not, you must have some use case for using a server. So what is the Java server actually doing? That is the part I'm missing and it's hard for me to tell you what the correct solution to your problem is since I don't know what your attempting to actually do.

As Javier just mentioned, I do think you are sending the wrong token to your backend. Follow the instructions here on how to retrieve the proper token that you should be sending into verifyIdToken(). I'm not sure you even need this step though, but that depends on what your actual use case is.

Cheers,

Jacob

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/88c9fa33-2dee-4a74-8797-ae60cf627bbc%40googlegroups.com.

[Timothy Washington]

Ok, Javier's tip was the clue I needed. That's pretty opaque, but "the token provided after sign in is not valid to be verified by the server". You have to explicitly call firebase.auth().currentUser.getToken. Thanks guys.

Jacob, my Java server fits into how that link describes a typical layout.

When a user or device successfully signs in, Firebase creates a corresponding ID token ... You can re-use that ID token to identify the user or device on your custom backend server. ...:

Once you have an ID token, you can send that JWT to your backend and validate it using one of the official Firebase server SDKs ...

The Firebase server SDKs have a built-in method for verifying and decoding ID tokens. If the provided ID token has the correct format, is not expired, and is properly signed, the method returns the decoded ID token. ...

Thanks
Tim

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.