Error: Firebase Auth ID token has no "kid" claim with Firebase 3.0

[Ciaran Byrne]

I'm trying to create a custom token using Firebase 3.0. Previously I was using FirebaseTokenGenerator with 2.0. I'm
receiving an error about no "kid" claim when attempting to generate a custom JWT.

var auth = firebase.auth();
var token = auth.createCustomToken(account.id);

auth.verifyIdToken(token).then(function(decodedToken) {
 console.log("Verified " + decodedToken);
}).catch(function(err){
  console.log(err);
});

I can confirm that I can initialize the Firebase, write and read  the account, etc. but when I attempt to create a token I get the error. I took
a look at the token returned using jwt.io but I can't see any reference to "kid" in the header ? Am I missing something ?

[David Poll]

A custom token is different from an ID token.  You pass a custom token down to a client and use signInWithCustomToken().  This will exchange the custom token for a refresh and ID token.  Your client can pass the id token back to your server for verification.

If you're trying to make requests to the database directly from your server, you should use the databaseAuthVariableOverride when initializing your app as described here: https://firebase.google.com/docs/database/server/start#authenticate-with-limited-privileges

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/2b791b46-8e89-4265-8656-b27c001a0053%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ciaran Byrne]

Ah ok, I was doing this on the server as I was having problems signing in with the token on the client.

BTW - What I really want to achieve is passing the token to the Client as you describe and I had this working fine on Client & Server with Firebase 2.4.
I upgraded the NodeJs Server to  Firebase 3.0, while the Client stayed at Firebase 2.4.

I'm guessing this is where the problem lies - there is a compatibility issue running Firebase 3.0 on the Server and 2.4 on the Client. Is this
correct ? 

[Adolfo Schneider]

Hey David, I'm kind of facing the same problem.

I have a spa application where the users is being authenticated succesfully but i want also guaranty this authentication on the server side. 

Thus, I'm passing the Auth.$getAuth().token on my header API calls and trying to validate it with auth.verifyIdToken(idToken) on the server.

Unfortunatly I'm getting a [Error: Firebase Auth ID token has no "kid" claim].

You can find more details here.

Thanks,

Adolfo

[Jacob Wenger]

@Ciaran - Yes, the token format has changed in the 3.x.x Firebase SDKs so tokens minted via the 3.x.x server SDK will not work on the 2.x.x client SDKs, and vice versa. In order for the tokens to work, you must have matching SDK major version numbers.

@Adolfo - I assume from your code snippet that your client is using the 2.x.x Firebase SDK through AngularFire, right? If that is the case, then the token will never validate due to the note I mentioned above. We are working on updating AngularFire to the 3.x.x SDK right now. Hang tight until we can get that released.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/557eafd6-d52a-4710-b3bc-edf91cc13b47%40googlegroups.com.

[Adolfo Schneider]

@Jacob Thanks for the reply. Is there any workaround to validate the user in the server side in my scenario (client side 2.x.x/server side 3.x.x)? 

[Jacob Wenger]

You can use a third-party JWT library like jsonwebtoken to verify 2.x.x tokens. You just need to ensure they are signed by your Firebase Secret.

Cheers,

Jacob

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/9e39c09f-a68e-4851-8ff2-3650c0687b9e%40googlegroups.com.