Admin Server - Using a third-party JWT libraries

520 views
Skip to first unread message

miamiHeat4life

unread,
Jan 31, 2017, 8:38:12 PM1/31/17
to Firebase Google Group
Hi ,

I am working on a  Swift based server (vapor) to connect to Firebase. Since Firebase does not support server-side Swift SDK at the moment, I have decided use the REST API. However, as a mediocre programmer, I have found the documentation difficult to follow on how to exactly authenticate using JWT 3rd party libraries. Specifically this part: 
Would it be possible to get a 'dummy' proof end-to-end example on how to do these steps? I have searched all over and can't figure it out. Any help would be greatly appreciate it. 

Thank You



Jacob Wenger

unread,
Jan 31, 2017, 9:09:50 PM1/31/17
to fireba...@googlegroups.com
Hey there,

I am not a Swift developer, but I did write those docs and can try my best to help get you unblocked. As noted in the docs, you'll have to use a third-party JWT library. One I found for Swift that supports the encryption algorithm we use is called JSONWebToken. You are going to want to look at the RSASSA-PKCS1-v1_5 Signature > Verify section to see an example of how to take a token, a public key, and a hash algorithm to see if the token was signed by public key's associated private key (that is, the token was minted by Firebase). Instead of .SHA256 in the code sample, you are going to want to use .RSA256 (both of those are just different types of encryption algorithms; as the docs mention, Firebase uses RSA 256).

As far as what to use for the public key, you need to fetch it from https://www.googleapis.com/robot/v1/metadata/x509/secur...@system.gserviceaccount.com as the docs suggest. I'm not sure how to do this in Swift, but there should be a built-in primitive to fetch the contents of a URL in Swift. Instead of making a request to get this data every time you want to validate an ID token, you can cache the requested data. However, we do rotate keys fairly often and you should not cache them for too long or else they may become expired. That is why the docs mention looking at the Cache-Control header to know how long before you should make a new request to the public keys URL.

If it helps, you can check out the implementation of how we do this in the Admin Node.js SDK here. That is compiled JavaScript and is not our source code, but it might give you an idea of what you need to do. Just search for "verifyIdToken" on that page to see where the implementation starts.

If you still can't figure things out, I will see if I can get someone on the Firebase team with more Swift experience to help you out further. Hopefully you have enough information to get unstuck though!

Cheers,
Jacob

On Tue, Jan 31, 2017 at 5:27 PM, miamiHeat4life <ezeq...@gmail.com> wrote:
Hi ,

I am working on a  Swift based server (vapor) to connect to Firebase. Since Firebase does not support server-side Swift SDK at the moment, I have decided use the REST API. However, as a mediocre programmer, I have found the documentation difficult to follow on how to exactly authenticate using JWT 3rd party libraries. Specifically this part: 
Would it be possible to get a 'dummy' proof end-to-end example on how to do these steps? I have searched all over and can't figure it out. Any help would be greatly appreciate it. 

Thank You



--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/d8933429-4637-4165-881c-7f2655a3b969%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

miamiHeat4life

unread,
Feb 1, 2017, 4:54:17 PM2/1/17
to Firebase Google Group
Hi Jacob,

Thanks for your help and support. 

Unfortunately, I am still stuck. I took a look at JSONWebToken RSASSA-PKCS1-v1_5 Signature section and see 3 different ways on creating a key, I am not even clear on what inputs to use to do this. (e.g. i see 3 different 'keys' in https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com).

If the swift team walk-me through in detail on who to achieve this, preferably using vapor-jwt (https://github.com/siemensikkema/vapor-jwt) as the third-party JWT, I would greatly appreciate it. 

Let me know if this is possible.

Thanks




On Tuesday, January 31, 2017 at 9:09:50 PM UTC-5, Jacob Wenger wrote:
Hey there,

I am not a Swift developer, but I did write those docs and can try my best to help get you unblocked. As noted in the docs, you'll have to use a third-party JWT library. One I found for Swift that supports the encryption algorithm we use is called JSONWebToken. You are going to want to look at the RSASSA-PKCS1-v1_5 Signature > Verify section to see an example of how to take a token, a public key, and a hash algorithm to see if the token was signed by public key's associated private key (that is, the token was minted by Firebase). Instead of .SHA256 in the code sample, you are going to want to use .RSA256 (both of those are just different types of encryption algorithms; as the docs mention, Firebase uses RSA 256).

As far as what to use for the public key, you need to fetch it from https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com as the docs suggest. I'm not sure how to do this in Swift, but there should be a built-in primitive to fetch the contents of a URL in Swift. Instead of making a request to get this data every time you want to validate an ID token, you can cache the requested data. However, we do rotate keys fairly often and you should not cache them for too long or else they may become expired. That is why the docs mention looking at the Cache-Control header to know how long before you should make a new request to the public keys URL.

If it helps, you can check out the implementation of how we do this in the Admin Node.js SDK here. That is compiled JavaScript and is not our source code, but it might give you an idea of what you need to do. Just search for "verifyIdToken" on that page to see where the implementation starts.

If you still can't figure things out, I will see if I can get someone on the Firebase team with more Swift experience to help you out further. Hopefully you have enough information to get unstuck though!

Cheers,
Jacob
On Tue, Jan 31, 2017 at 5:27 PM, miamiHeat4life <ezeq...@gmail.com> wrote:
Hi ,

I am working on a  Swift based server (vapor) to connect to Firebase. Since Firebase does not support server-side Swift SDK at the moment, I have decided use the REST API. However, as a mediocre programmer, I have found the documentation difficult to follow on how to exactly authenticate using JWT 3rd party libraries. Specifically this part: 
Would it be possible to get a 'dummy' proof end-to-end example on how to do these steps? I have searched all over and can't figure it out. Any help would be greatly appreciate it. 

Thank You



--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

miamiHeat4life

unread,
Feb 8, 2017, 6:34:38 PM2/8/17
to Firebase Google Group
Hi,

Would it be possible to get someone on the Firebase team with more Swift experience to help you out further? 

Thanks

On Tuesday, January 31, 2017 at 9:09:50 PM UTC-5, Jacob Wenger wrote:
Hey there,

I am not a Swift developer, but I did write those docs and can try my best to help get you unblocked. As noted in the docs, you'll have to use a third-party JWT library. One I found for Swift that supports the encryption algorithm we use is called JSONWebToken. You are going to want to look at the RSASSA-PKCS1-v1_5 Signature > Verify section to see an example of how to take a token, a public key, and a hash algorithm to see if the token was signed by public key's associated private key (that is, the token was minted by Firebase). Instead of .SHA256 in the code sample, you are going to want to use .RSA256 (both of those are just different types of encryption algorithms; as the docs mention, Firebase uses RSA 256).

As far as what to use for the public key, you need to fetch it from https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com as the docs suggest. I'm not sure how to do this in Swift, but there should be a built-in primitive to fetch the contents of a URL in Swift. Instead of making a request to get this data every time you want to validate an ID token, you can cache the requested data. However, we do rotate keys fairly often and you should not cache them for too long or else they may become expired. That is why the docs mention looking at the Cache-Control header to know how long before you should make a new request to the public keys URL.

If it helps, you can check out the implementation of how we do this in the Admin Node.js SDK here. That is compiled JavaScript and is not our source code, but it might give you an idea of what you need to do. Just search for "verifyIdToken" on that page to see where the implementation starts.

If you still can't figure things out, I will see if I can get someone on the Firebase team with more Swift experience to help you out further. Hopefully you have enough information to get unstuck though!

Cheers,
Jacob
On Tue, Jan 31, 2017 at 5:27 PM, miamiHeat4life <ezeq...@gmail.com> wrote:
Hi ,

I am working on a  Swift based server (vapor) to connect to Firebase. Since Firebase does not support server-side Swift SDK at the moment, I have decided use the REST API. However, as a mediocre programmer, I have found the documentation difficult to follow on how to exactly authenticate using JWT 3rd party libraries. Specifically this part: 
Would it be possible to get a 'dummy' proof end-to-end example on how to do these steps? I have searched all over and can't figure it out. Any help would be greatly appreciate it. 

Thank You



--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

Kato Richardson

unread,
Feb 9, 2017, 12:23:04 PM2/9/17
to Firebase Google Group
Hi there,

There is no "swift team", sorry. Nor do we have bandwidth to provide consulting services on implementation at present. I know that's annoying, but the best we can do at this scale (a community of nearly a million developers) is to answer specific, technical questions.

Please keep in mind that Swift is not a supported server-side tool yet. If you want this to be simple and straightforward, then the ideal answer here would be to use on of the supported SDKs, which are documented and have examples ready made. 

Otherwise, following the instructions for issuing tokens from third party tools is the best approach, and the closest example we have to offer.

☼, Kato


On Wed, Feb 8, 2017 at 3:24 PM, miamiHeat4life <ezeq...@gmail.com> wrote:
Hi,

Would it be possible to get someone on the Firebase team with more Swift experience to help you out further? 

Thanks

On Tuesday, January 31, 2017 at 9:09:50 PM UTC-5, Jacob Wenger wrote:
Hey there,

I am not a Swift developer, but I did write those docs and can try my best to help get you unblocked. As noted in the docs, you'll have to use a third-party JWT library. One I found for Swift that supports the encryption algorithm we use is called JSONWebToken. You are going to want to look at the RSASSA-PKCS1-v1_5 Signature > Verify section to see an example of how to take a token, a public key, and a hash algorithm to see if the token was signed by public key's associated private key (that is, the token was minted by Firebase). Instead of .SHA256 in the code sample, you are going to want to use .RSA256 (both of those are just different types of encryption algorithms; as the docs mention, Firebase uses RSA 256).

As far as what to use for the public key, you need to fetch it from https://www.googleapis.com/robot/v1/metadata/x509/secureto...@system.gserviceaccount.com as the docs suggest. I'm not sure how to do this in Swift, but there should be a built-in primitive to fetch the contents of a URL in Swift. Instead of making a request to get this data every time you want to validate an ID token, you can cache the requested data. However, we do rotate keys fairly often and you should not cache them for too long or else they may become expired. That is why the docs mention looking at the Cache-Control header to know how long before you should make a new request to the public keys URL.

If it helps, you can check out the implementation of how we do this in the Admin Node.js SDK here. That is compiled JavaScript and is not our source code, but it might give you an idea of what you need to do. Just search for "verifyIdToken" on that page to see where the implementation starts.

If you still can't figure things out, I will see if I can get someone on the Firebase team with more Swift experience to help you out further. Hopefully you have enough information to get unstuck though!

Cheers,
Jacob
On Tue, Jan 31, 2017 at 5:27 PM, miamiHeat4life <ezeq...@gmail.com> wrote:
Hi ,

I am working on a  Swift based server (vapor) to connect to Firebase. Since Firebase does not support server-side Swift SDK at the moment, I have decided use the REST API. However, as a mediocre programmer, I have found the documentation difficult to follow on how to exactly authenticate using JWT 3rd party libraries. Specifically this part: 
Would it be possible to get a 'dummy' proof end-to-end example on how to do these steps? I have searched all over and can't figure it out. Any help would be greatly appreciate it. 

Thank You



--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
 To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/d8933429-4637-4165-881c-7f2655a3b969%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--

Kato Richardson | Developer Programs Eng | kato...@google.com | 775-235-8398

Jacob Wenger

unread,
Feb 9, 2017, 1:20:01 PM2/9/17
to fireba...@googlegroups.com
Just to tack on to what Kato said and hopefully get you unblocked:

> Unfortunately, I am still stuck. I took a look at JSONWebToken / RSASSA-PKCS1-v1_5 Signature section and see 3 different ways on creating a key, I am not even clear on what inputs to use to do this. 

I only see one example here, which I think is what you want. jwt should be your Firebase ID token and publicKey should be one of the public keys from the googleapis.com URL.


> I see 3 different 'keys' in https://www.googleapis.com/robot/v1/metadata/x509/secur...@system.gserviceaccount.com

All of those keys are valid and, as noted in the docs, you should use the one that matches the kid claim from your ID token.


> If the swift team walk-me through in detail on who to achieve this, preferably using vapor-jwt as the third-party JWT, I would greatly appreciate it. 

I'm not familiar with that JWT library and they don't exactly document how to verify a key signed with a private / public key pair using RS256. You can maybe open up a new issue on their GitHub repo asking them to add an example. Here is my best guess at how it would work:

let jwt3 = try JWT(token: "<FIREBASE_ID_TOKEN>")
let isValid = try jwt3.verifySignature(using: RS256(key: "<PUBLIC_KEY_FROM_GOOGLEAPIS_URL>"))


Hopefully that helps get you unblocked.

Cheers,
Jacob

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CADypTEZvCc-Mi9e5%2BNHt8z4g71tS-PmZSzgGJn2w%3DOaCZRNU9w%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages