Nonce Mismatch Issue with Firebase Authentication and Keycloak ID Token

39 views
Skip to first unread message

ajay Chaudhary

unread,
Oct 2, 2024, 8:17:50 AMOct 2
to Firebase Google Group

Hello everyone,

I'm currently working on integrating Firebase Authentication with Keycloak in my Angular application and have encountered a challenging issue related to nonce validation.

Context:
  1. Keycloak is set up as my OpenID Connect (OIDC) provider, successfully returning an ID token upon user login.
  2. I am using Firebase for authentication after retrieving the ID token from Keycloak.

Here’s my Keycloak initialization setup:


this.keycloak.init({ config: this.appConstant.keycloakConfig, initOptions: { onLoad: 'check-sso', flow: 'standard', pkceMethod: 'S256', useNonce: true, // Keycloak generates a nonce internally }, enableBearerInterceptor: true, });

After a successful Keycloak login, I retrieve the ID token and pass it to Firebase for sign-in:

async signInWithFirebase(idToken: string): Promise<any> { const auth = getAuth(); const provider = new OAuthProvider(environment.firebaseConfig.oidcProvider); try { const credential = provider.credential({ idToken, // rawNonce: '<rawNonce>', // Initially not passing rawNonce }); const result = await signInWithCredential(auth, credential); return result; } catch (error: any) { console.error(error, 'Firebase sign-in error'); } }
Issues Encountered:
  1. When I do not pass the rawNonce: I receive the following error from Firebase:

    r
    Copy code
    FirebaseError: Nonce is missing in the request. (auth/missing-or-invalid-nonce)
  2. When I try passing the rawNonce extracted from the decoded Keycloak ID token: I get a different error:

    bash
    Copy code
    FirebaseError: Firebase: The nonce in ID Token "<hashed_nonce>" does not match the SHA256 hash of the raw nonce "<rawNonce>" in the request. (auth/missing-or-invalid-nonce).

This indicates that while Firebase acknowledges the nonce's presence, there is a mismatch between the hashed nonce in the ID token and the rawNonce I provided.

Questions:
  1. What is the correct approach to ensure that the raw nonce I use for Firebase authentication matches the nonce expected from the Keycloak ID token?
  2. Is there a way to configure Firebase to work seamlessly with Keycloak's nonce handling?
  3. Are there any best practices for resolving this nonce mismatch issue when integrating Firebase with Keycloak?
  4. Would relying solely on PKCE (without utilizing a nonce) be a viable and secure solution in this scenario?

I have enabled PKCE (pkceMethod: 'S256') in my Keycloak configuration, but Firebase continues to require a nonce. Any insights or recommendations to resolve this issue would be greatly appreciated!

Thank you in advance!

Reply all
Reply to author
Forward
0 new messages