Decoding JWT token

[Philibert Dugas]

Hi,

I'm trying to use the Firebase JWT token in my backend server written in Ruby.

Referring to this link: https://firebase.google.com/docs/auth/admin/verify-id-tokens

To decode the token in the JWT gem, it's asking us to provide a public certificate. The link mentions the following:

 

Finally, ensure that the ID token was signed by the private key corresponding to the token's kid claim. Grab the public key from https://www.googleapis.com/robot/v1/metadata/x509/secur...@system.gserviceaccount.com

My question is, how do we know what "kid" corresponds to a given JWT token?

[Hiranya Jayathilaka]

The base64 decoded token usually has a kid header, which you can use to lookup the correct public key. If you don't want to bother with decoding the token, you can write your code to iterate over all public keys, and try to verify against each of them. If the token doesn't verify against any public key it should be rejected. 

See how the Python's oauth2client library does it: https://github.com/google/oauth2client/blob/master/oauth2client/crypt.py#L105

On Tue, Apr 18, 2017 at 5:46 PM, Philibert Dugas <philibe...@gmail.com> wrote:

Hi,

I'm trying to use the Firebase JWT token in my backend server written in Ruby.

Referring to this link: https://firebase.google.com/docs/auth/admin/verify-id-tokens

To decode the token in the JWT gem, it's asking us to provide a public certificate. The link mentions the following:

 

Finally, ensure that the ID token was signed by the private key corresponding to the token's kid claim. Grab the public key from https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com

My question is, how do we know what "kid" corresponds to a given JWT token?

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/a78549f2-4206-4ba7-a21e-60974e15f9f7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Hiranya Jayathilaka | Software Engineer | h...@google.com | 650-203-0128

[Chris Raynor]

I think the "kid" field is in the header (first part of the JWT) rather than the body

On Tue, Apr 18, 2017 at 7:43 PM 'Hiranya Jayathilaka' via Firebase Google Group <fireba...@googlegroups.com> wrote:

The base64 decoded token usually has a kid header, which you can use to lookup the correct public key. If you don't want to bother with decoding the token, you can write your code to iterate over all public keys, and try to verify against each of them. If the token doesn't verify against any public key it should be rejected. 

See how the Python's oauth2client library does it: https://github.com/google/oauth2client/blob/master/oauth2client/crypt.py#L105

On Tue, Apr 18, 2017 at 5:46 PM, Philibert Dugas <philibe...@gmail.com> wrote:

Hi,

I'm trying to use the Firebase JWT token in my backend server written in Ruby.

Referring to this link: https://firebase.google.com/docs/auth/admin/verify-id-tokens

To decode the token in the JWT gem, it's asking us to provide a public certificate. The link mentions the following:

 

Finally, ensure that the ID token was signed by the private key corresponding to the token's kid claim. Grab the public key from https://www.googleapis.com/robot/v1/metadata/x509/secur...@system.gserviceaccount.com

My question is, how do we know what "kid" corresponds to a given JWT token?

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/a78549f2-4206-4ba7-a21e-60974e15f9f7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Hiranya Jayathilaka | Software Engineer | h...@google.com | 650-203-0128

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAE6e%2BPhYvfNM69UL-8ZFv4ksxcHDQjbS3nJAMiqngKTAc2-mmQ%40mail.gmail.com.