Hello everyone,
I'm currently working on integrating Firebase Authentication with Keycloak in my Angular application and have encountered a challenging issue related to nonce validation.
Context:- Keycloak is set up as my OpenID Connect (OIDC) provider, successfully returning an ID token upon user login.
- I am using Firebase for authentication after retrieving the ID token from Keycloak.
Here’s my Keycloak initialization setup:
this.keycloak.init({
config: this.appConstant.keycloakConfig,
initOptions: {
onLoad: 'check-sso',
flow: 'standard',
pkceMethod: 'S256',
useNonce: true, // Keycloak generates a nonce internally
},
enableBearerInterceptor: true,
});
After a successful Keycloak login, I retrieve the ID token and pass it to Firebase for sign-in:
async signInWithFirebase(idToken: string): Promise<any> {
const auth = getAuth();
const provider = new OAuthProvider(environment.firebaseConfig.oidcProvider);
try {
const credential = provider.credential({
idToken,
// rawNonce: '<rawNonce>', // Initially not passing rawNonce
});
const result = await signInWithCredential(auth, credential);
return result;
} catch (error: any) {
console.error(error, 'Firebase sign-in error');
}
}
Issues Encountered:When I do not pass the rawNonce:
I receive the following error from Firebase:
r
FirebaseError: Nonce is missing in the request. (auth/missing-or-invalid-nonce)
When I try passing the rawNonce extracted from the decoded Keycloak ID token:
I get a different error:
bash
FirebaseError: Firebase: The nonce in ID Token "<hashed_nonce>" does not match the SHA256 hash of the raw nonce "<rawNonce>" in the request. (auth/missing-or-invalid-nonce).
This indicates that while Firebase acknowledges the nonce's presence, there is a mismatch between the hashed nonce in the ID token and the rawNonce I provided.
Questions:- What is the correct approach to ensure that the raw nonce I use for Firebase authentication matches the nonce expected from the Keycloak ID token?
- Is there a way to configure Firebase to work seamlessly with Keycloak's nonce handling?
- Are there any best practices for resolving this nonce mismatch issue when integrating Firebase with Keycloak?
- Would relying solely on PKCE (without utilizing a nonce) be a viable and secure solution in this scenario?
I have enabled PKCE (pkceMethod: 'S256') in my Keycloak configuration, but Firebase continues to require a nonce. Any insights or recommendations to resolve this issue would be greatly appreciated!
Thank you in advance!