Firebase Admin SDK:从 REST 验证 ID 令牌 API
Firebase Admin SDK : Verifying ID tokens from the REST API
我正在尝试使用 Admin SDK 中的 verifyIdToken(idToken) 方法验证通过使用 REST API 登录进行身份验证而收到的 Id 令牌,但我没有获取解码的令牌,而是获取了错误:
Firebase ID token has incorrect "iss" (issuer) claim. Expected "https://securetoken.google.com/"" but got "https://identitytoolkit.google.com/". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.
正如我上面所说,我正在从 REST API 获取我的令牌,所以我希望它能工作。
我从 API 得到的回复是这样的:
{
"kind": "identitytoolkit#VerifyPasswordResponse",
"localId": "pu0yjIc8tnR85X2gERdtLx684DK2",
"email": "test@test.com",
"displayName": "",
"idToken": "<token-id>",
"registered": true
}
这是否被视为自定义令牌?如果是,我该如何验证?
- 调用 tokeninfo 端点
An easy way to validate an ID token for debugging and low-volume use
is to use the tokeninfo endpoint. Calling this endpoint involves an
additional network request that does most of the validation for you,
but introduces some latency and the potential for network errors.
To validate an ID token using the tokeninfo endpoint, make an HTTPS
POST or GET request to the endpoint, and pass your ID token in the
id_token parameter. For example, to validate the token "XYZ123", make
the following GET request:
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123
{
// These six fields are included in all Google ID Tokens.
"iss": "https://accounts.google.com",
"sub": "110169484474386276334",
"azp": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
"aud": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
"iat": "1433978353",
"exp": "1433981953",
// These seven fields are only included when the user has granted the "profile" and
// "email" OAuth scopes to the application.
"email": "testuser@gmail.com",
"email_verified": "true",
"name" : "Test User",
"picture": "https://lh4.googleusercontent.com/-kYgzyAWpZzJ/ABCDEFGHI/AAAJKLMNOP/tIXL9Ir44LE/s99-c/photo.jpg",
"given_name": "Test",
"family_name": "User",
"locale": "en"
}
截至 2018 年 9 月,REST API 返回的 ID 令牌的颁发者似乎已从 https://identitytoolkit.google.com/ 更改为 https://securetoken.google.com/。我可以在 firebase admin SDK 中成功验证此 id 令牌。
[编辑]:firebase admin SDK 仍然无法验证由 identitytoolkit 的 verifyAssertion REST 返回的 Facebook ID 令牌API.
我正在尝试使用 Admin SDK 中的 verifyIdToken(idToken) 方法验证通过使用 REST API 登录进行身份验证而收到的 Id 令牌,但我没有获取解码的令牌,而是获取了错误:
Firebase ID token has incorrect "iss" (issuer) claim. Expected "https://securetoken.google.com/"" but got "https://identitytoolkit.google.com/". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.
正如我上面所说,我正在从 REST API 获取我的令牌,所以我希望它能工作。 我从 API 得到的回复是这样的:
{
"kind": "identitytoolkit#VerifyPasswordResponse",
"localId": "pu0yjIc8tnR85X2gERdtLx684DK2",
"email": "test@test.com",
"displayName": "",
"idToken": "<token-id>",
"registered": true
}
这是否被视为自定义令牌?如果是,我该如何验证?
- 调用 tokeninfo 端点
An easy way to validate an ID token for debugging and low-volume use is to use the tokeninfo endpoint. Calling this endpoint involves an additional network request that does most of the validation for you, but introduces some latency and the potential for network errors.
To validate an ID token using the tokeninfo endpoint, make an HTTPS POST or GET request to the endpoint, and pass your ID token in the id_token parameter. For example, to validate the token "XYZ123", make the following GET request:
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123
{
// These six fields are included in all Google ID Tokens.
"iss": "https://accounts.google.com",
"sub": "110169484474386276334",
"azp": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
"aud": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
"iat": "1433978353",
"exp": "1433981953",
// These seven fields are only included when the user has granted the "profile" and
// "email" OAuth scopes to the application.
"email": "testuser@gmail.com",
"email_verified": "true",
"name" : "Test User",
"picture": "https://lh4.googleusercontent.com/-kYgzyAWpZzJ/ABCDEFGHI/AAAJKLMNOP/tIXL9Ir44LE/s99-c/photo.jpg",
"given_name": "Test",
"family_name": "User",
"locale": "en"
}
截至 2018 年 9 月,REST API 返回的 ID 令牌的颁发者似乎已从 https://identitytoolkit.google.com/ 更改为 https://securetoken.google.com/。我可以在 firebase admin SDK 中成功验证此 id 令牌。
[编辑]:firebase admin SDK 仍然无法验证由 identitytoolkit 的 verifyAssertion REST 返回的 Facebook ID 令牌API.