JWT with Firebase for secure authentication

[kildos]

Hello! First of all, I want to thank you for your great work on this API, @mevdschee. I've used it in a couple of projects, and it has worked seamlessly.

Now, let's get to the point. I want to use Firebase for user authentication, but there's something I don't quite understand how it works. If the 'secrets' part use obtained data from the Google public keys at:

//code to fetch jwt key and secret
$rawPublicKeys = file_get_contents('https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com');
$keys = json_decode($rawPublicKeys, true);
$keyKidsArray = array_keys($keys);
$pKeysArray = array_values($keys);
$secrets = $keyKidsArray[0] . ':' . $pKeysArray[0] . ',' . $keyKidsArray[1] . ':' . $pKeysArray[1];

as suggested in this Issue (#708).

How does this API verify that a user has logged into my legitimate app (and not other) if it only checks public keys? In other words, if someone creates a new Firebase project and adds my email, and that person logs in into his project with my email, he would obtain a valid Firebase token, so...could they call my API with that token, and would the middleware allow the access since it's a valid token for Firebase? My question is: where does the API supposedly verify some kind of private key?

I feel like I'm missing something, and I'm a bit confused about this.

Thanks again for your work, @mevdschee ❤️

[nik2208]

That's the point about JWT: it's not about granting access; it's about authentication. Once uniquely authenticated, the granting process should be implemented at the application level. For example, by creating a local account with the sub-contained data or matching the user with an existing local account. Logging out is also not straightforward. That's why JWT tokens have a very short lifespan, and strategies like key rotation or refresh tokens are used to periodically validate who has access and who does not.

A JWT token consists of a header, a payload, and a signature. With each request, you can verify the payload content and match it with your authorized users. If they are not your users, you can register them in your database or remove them if necessary.

to check the payload u can enable the authorisation middleware

...
'middlewares' => 'cors,json,jwtAuth,authorization,customization',
...

and then

...
'authorization.recordHandler' => function ($operation, $tableName) {
            if($tableName === '<YourSensibleTable>')
                return 'filter=<userIdField>,eq,'.$_SESSION['claims']['sub'];
            return false;
        },
...

[kildos]

Thank you for your response @nik2208, I really appreciate it. I am a mobile developer with no deep experience on the backend part so I apologize in advance for any concept error that I may say.

My idea was precisely what you mentioned: to use the 'claims' that come in the 'payload' part of the token to securely authenticate who is accessing my API. However, I still don't understand how the API ensures that this token belongs to my Firebase project and not someone else's. If someone knew that steve.jobs@apple.com was registered in my database, that person could create a project in Firebase, create a fake user with that email, and obtain a valid token. Then, if that person sent a request to my API with that token, my API would let them in and believe it's the real steve.jobs@apple.com, because the 'claims' would contain that email. Am I wrong?

Thanks a lot for your help

[nik2208]

U usually share/set the secret key with/on the issuer (firebase in the case) relevant setup page, if u can actually verify the signature (keys signed with other audience's keys would eventually fail when attempting to verify them with your secret key, does it sound?) it means that that particular token has been issued using your keys and not others. You would have access to the claims anyway, whether the jwt signature verification process fails or succeeds.

[kildos]

@nik2208
I've been thinking that I could address my concern by having the API check that the 'aud' claim matches my Firebase project's ID. This way, I would ensure that the token comes from my actual project. This simple check could be added in the authorization.recordHandler as well, right? Thank you!

[nik2208]

well, I don't know how private is your firebase project Id, the shared secret key should be the way to do it.

What's the content of the decoded jwt token (paste it here) u get from firebase?

[kildos]

@nik2208

well, I don't know how private is your firebase project Id, the shared secret key should be the way to do it.

But even if my project ID was leaked, no one could ever create a valid token with the 'aud' claim of my ID project, because they can't sign valid Firebase tokens without the Firebase private key. And firebase generates that token based on the authentication. Right?

What's the content of the decoded jwt token (paste it here) u get from firebase?

{
"alg": "RS256",
"kid": "f2e82732b971a135cf1416e8b46dae04d80894e7",
"typ": "JWT"
}

{
"iss": "https://securetoken.google.com/sic-poc",
"aud": "sic-poc",
"auth_time": 1697220761,
"user_id": "fXJ3TTQAYRZ2NF5qvXlHUt2vOXC3",
"sub": "fXJ3TTQAYRZ2NF5qvXlHUt2vOXC3",
"iat": 1697220761,
"exp": 1697224361,
"email": "kildos@kildos.com",
"email_verified": false,
"firebase": {
"identities": {
"email": [
"kildos@kildos.com"
]
},
"sign_in_provider": "password"
}
}

[nik2208]

but I can generate a jwt token containing this exact payload (no need to be firebase the issuer). The only tool u can make use of is the signature verification, that states that the token has been issued and sealed using ur key, that supposedly is owned only by you and firebase.

[kildos]

@nik2208 But that check is already done when using the jwtAuth and authorization middlewares, isn't it? I mean, currently I use this on my config, that (at least it is what I understand) check that the token is signed by Firebase, so even if you send me a token with that payload, the check would not work, isn't it?

     //code to fetch jwt key and secret
$rawPublicKeys = file_get_contents('https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com');
$keys = json_decode($rawPublicKeys, true);
$keyKidsArray= array_keys($keys);
$pKeysArray = array_values($keys);
$secrets = $keyKidsArray[0] . ':' . $pKeysArray[0] . ',' . $keyKidsArray[1] . ':' . $pKeysArray[1];


$config = new Config([
    'driver' => 'mysql',
    'address' => 'localhost',
    'port' => '3306',
    'username' => 'test',
    'password' => 'passTest',
    'database' => 'testDB',
    'middlewares' => 'cors, jwtAuth, authorization',
    'jwtAuth.secrets' => $secrets,
    'cors.allowedOrigins' => '*',
    'cors.allowHeaders' => 'X-Authorization',
    'debug' => true
]);

If I am missing something I apologize, I try to understand how can I check the signature verification on this API, like you said. Thanks again

[nik2208]

are u manually fetching the jwt token from firebase?

[kildos]

@nik2208 Yes, my app calls the native Firebase iOS SDK to do the login, and if the login is successful, I call the getIDTokenResult of their SDK to get the token. Then, I use that token to call this API

[nik2208]

your app should store the received token in the headers, now instead, if I understand the code above, ure actually using the jwt code as secret, when the secret should be the same key you stored in firebase to sign the token

[nik2208]

your requests should look like this:

the jwt middleware then reads the token from the header and decodes it

[nik2208]

have a read here #926