Custom Token Validation Failed

gooon...@gmail.com

unread,

Nov 14, 2016, 10:10:02 AM11/14/16

to Firebase Google Group

Following token is generated by my authentication server which gives exception when sent to Firebase for authentication.

Exception

com.google.firebase.auth.FirebaseAuthInvalidCredentialsException: The custom token format is incorrect. Please check the documentation.

Token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOiJTWVMxMzI4IiwiaXNzIjoiZmlyZWJhc2UtYWRtaW5zZGstaDA4dnVAZ29vb25qLTEyOTNlLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwic3ViIjoiZmlyZWJhc2UtYWRtaW5zZGstaDA4dnVAZ29vb25qLTEyOTNlLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwiYXVkIjoiaHR0cHM6Ly9pZGVudGl0eXRvb2xraXQuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmlkZW50aXR5LmlkZW50aXR5dG9vbGtpdC52MS5JZGVudGl0eVRvb2xraXQiLCJpYXQiOjE0NzkxMzAzNDQsImV4cCI6MTQ3OTEzMTU0NH0.xH3aZUYaGoqR5g3KRBbumxX8z5jiC9POlyOR8fOaly8

When decoded using https://jwt.io/ , it gives

HEADER:ALGORITHM & TOKEN TYPE

{  "typ": "JWT",  "alg": "HS256"}

PAYLOAD:DATA

{  "uid": "SYS1328",  "iss": "firebase-ad...@gooonj-1293e.iam.gserviceaccount.com",  "sub": "firebase-ad...@gooonj-1293e.iam.gserviceaccount.com",  "aud": "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",  "iat": 1479130344,  "exp": 1479131544}

Jacob Wenger

unread,

Nov 14, 2016, 12:20:43 PM11/14/16

to fireba...@googlegroups.com

Hey there,

Sorry to hear you are running into issues!

I think the problem here is that you are trying to validate a custom token using a method which validates ID tokens. Let me try to explain this: You use the createCustomToken() method to create a custom token which is then sent to a client device and used to sign that device in via the signInWithCustomToken() method [docs]. The custom token expires after one hour and you should never need to validate the custom token on your own server. Instead, once a client device is signed in with a custom token, we exchange it for an ID token which is used to actually interact with Firebase services like the Realtime Database and Storage. These ID tokens expire after one hour and are automatically refreshed by the SDK itself, transparently to you. These ID tokens can be sent to your backend server and validated with the verifyIdToken() method [docs].

If I had to guess, you are passing a custom token created via createCustomToken() into verifyIdToken(). This will definitely fail since, as the name suggests, verifyIdToken() verifies ID tokens, not custom tokens. If you read the two docs links above, it should hopefully help explain things a bit more.

Cheers,
Jacob

On Mon, Nov 14, 2016 at 5:48 AM, <gooon...@gmail.com> wrote:

Following token is generated by my authentication server which gives exception when sent to Firebase for authentication.

Exception
com.google.firebase.auth.FirebaseAuthInvalidCredentialsException: The custom token format is incorrect. Please check the documentation.

Token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOiJTWVMxMzI4IiwiaXNzIjoiZmlyZWJhc2UtYWRtaW5zZGstaDA4dnVAZ29vb25qLTEyOTNlLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwic3ViIjoiZmlyZWJhc2UtYWRtaW5zZGstaDA4dnVAZ29vb25qLTEyOTNlLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwiYXVkIjoiaHR0cHM6Ly9pZGVudGl0eXRvb2xraXQuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmlkZW50aXR5LmlkZW50aXR5dG9vbGtpdC52MS5JZGVudGl0eVRvb2xraXQiLCJpYXQiOjE0NzkxMzAzNDQsImV4cCI6MTQ3OTEzMTU0NH0.xH3aZUYaGoqR5g3KRBbumxX8z5jiC9POlyOR8fOaly8

When decoded using https://jwt.io/ , it gives

HEADER:ALGORITHM & TOKEN TYPE
{
  "typ": "JWT",
  "alg": "HS256"
}

PAYLOAD:DATA

{  "uid": "SYS1328",  "iss": "firebase-adminsdk-h08vu@gooonj-1293e.iam.gserviceaccount.com",  "sub": "firebase-adminsdk-h08vu@gooonj-1293e.iam.gserviceaccount.com",

  "aud": "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",  "iat": 1479130344,  "exp": 1479131544}

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/c69168f2-295d-417c-9ae0-4b585400aff4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

gooon...@gmail.com

unread,

Nov 15, 2016, 11:03:48 AM11/15/16

to Firebase Google Group

Thanks Jacob

Actually I am just passing the token I get from my server to firebase. The value of token here is the one I have already shared with you or it may be similar new value generate by server at times.

mAuth.signInWithCustomToken(token).addOnCompleteListener(new OnCompleteListener<AuthResult>() {
 @Override
 public void onComplete(@NonNull Task<AuthResult> task) {
 if (!task.isSuccessful()) {
 Log.w(TAG, "signInWithCustomToken", task.getException());
 Toast.makeText(CustomAuthActivity.this, "Authentication failed.",
 Toast.LENGTH_SHORT).show();
 }
 if (task.isSuccessful()) {
 Toast.makeText(CustomAuthActivity.this, task.getResult().toString(), Toast.LENGTH_SHORT).show();
 }
 }
});

On Monday, 14 November 2016 22:50:43 UTC+5:30, Jacob Wenger wrote:

Hey there,

Sorry to hear you are running into issues!

I think the problem here is that you are trying to validate a custom token using a method which validates ID tokens. Let me try to explain this: You use the createCustomToken() method to create a custom token which is then sent to a client device and used to sign that device in via the signInWithCustomToken() method [docs]. The custom token expires after one hour and you should never need to validate the custom token on your own server. Instead, once a client device is signed in with a custom token, we exchange it for an ID token which is used to actually interact with Firebase services like the Realtime Database and Storage. These ID tokens expire after one hour and are automatically refreshed by the SDK itself, transparently to you. These ID tokens can be sent to your backend server and validated with the verifyIdToken() method [docs].

If I had to guess, you are passing a custom token created via createCustomToken() into verifyIdToken(). This will definitely fail since, as the name suggests, verifyIdToken() verifies ID tokens, not custom tokens. If you read the two docs links above, it should hopefully help explain things a bit more.

Cheers,
Jacob

On Mon, Nov 14, 2016 at 5:48 AM, <gooon...@gmail.com> wrote:

Following token is generated by my authentication server which gives exception when sent to Firebase for authentication.

Exception
com.google.firebase.auth.FirebaseAuthInvalidCredentialsException: The custom token format is incorrect. Please check the documentation.

Token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOiJTWVMxMzI4IiwiaXNzIjoiZmlyZWJhc2UtYWRtaW5zZGstaDA4dnVAZ29vb25qLTEyOTNlLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwic3ViIjoiZmlyZWJhc2UtYWRtaW5zZGstaDA4dnVAZ29vb25qLTEyOTNlLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwiYXVkIjoiaHR0cHM6Ly9pZGVudGl0eXRvb2xraXQuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmlkZW50aXR5LmlkZW50aXR5dG9vbGtpdC52MS5JZGVudGl0eVRvb2xraXQiLCJpYXQiOjE0NzkxMzAzNDQsImV4cCI6MTQ3OTEzMTU0NH0.xH3aZUYaGoqR5g3KRBbumxX8z5jiC9POlyOR8fOaly8

When decoded using https://jwt.io/ , it gives

HEADER:ALGORITHM & TOKEN TYPE
{
  "typ": "JWT",
  "alg": "HS256"
}

PAYLOAD:DATA

{  "uid": "SYS1328",  "iss": "firebase-ad...@gooonj-1293e.iam.gserviceaccount.com",  "sub": "firebase-ad...@gooonj-1293e.iam.gserviceaccount.com",

  "aud": "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",  "iat": 1479130344,  "exp": 1479131544}

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

Jacob Wenger

unread,

Nov 15, 2016, 12:41:06 PM11/15/16

to fireba...@googlegroups.com

Hey there,

Thanks for the clarification. I think I found out what the actual problem is: your custom token is signed with the wrong encryption algorithm. The output you posted indicates it was signed with HS256, but you need to sign the tokens with RS256 instead, as noted in the table in our docs here. Switching out the correct encryption algorithm should resolve your problem.

Cheers,
Jacob

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/985980da-276a-4772-bf1e-8ad5f165b5b3%40googlegroups.com.

vis...@homepass.com

unread,

Nov 23, 2016, 11:11:06 AM11/23/16

to Firebase Google Group

Hi Jacob,

Thanks for the clarification. Is this backward compatible, I mean all iOS and Android clients using older version of SDKs will work correctly ?

Regards,

Vish.

Jacob Wenger

unread,

Nov 23, 2016, 12:34:02 PM11/23/16

to fireba...@googlegroups.com

Hey Vish,

No, the custom token formats are entirely different between the SDK versions and are not backwards compatible. Tokens from the legacy token generators only work with versions 2.x.x and below of the client SDKs while tokens from the new Admin SDKs only work with versions 3.x.x and above of the client SDKs.

Cheers,

Jacob

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/ce11a07c-72a4-400a-abcc-c7e4d388fb4f%40googlegroups.com.

Reply all

Reply to author

Forward