Unable to verify token Exception Firebase\Auth\Token\Exception\UnknownKey

[vkiranmaniya]

Firebase verifyIdToken fails with exception as Firebase\Auth\Token\Exception\UnknownKey Stacktrace A key with ID "3494b1e786cdad092e423766bbe37f54ed87b22d" could not be found. {"exception":"[object] (Firebase\\Auth\\Token\\Exception\\UnknownKey(code: 0): A key with ID \"3494b1e786cdad092e423766bbe37f54ed87b22d\" could not be found. at /home/fgx3uhiothty/public_html/vendor/kreait/firebase-tokens/src/Verifier.php:132)

[jeromegamez]

The error is accurate: https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com

The kid header of the token you want to verify is wrong or outdated.

[vkiranmaniya]

How do i resolve the issue, Should i regenerate the service account json file?

[jeromegamez]

This shouldn‘t have something to do with the ServiceAccount file. The verification itself works, but the kid header of the ID Token you‘re verifying is incorrect 🤔

Where does the ID Token come from? Was it perhaps generated in a non-Firebase project?

Another possibility is that Google has rotated the public keys shortly after the generation of the ID Token - in this case, newly generated ID tokens should be verifiable again by now.

If you are using a cache in the KeyStore of this library, you could try flushing it.

[vkiranmaniya]

I flushed cache and everything, but still, the error is same. however, the id tokens issued for android is gets verified without any error. the issue is only rising with ios device. I'm testing with the simulator.

[jeromegamez]

If it works for the android device but not for the iOS device, unfortunately, there is not much I can do in the scope of this library. Are the ID tokens generated with a Firebase Client SDK in your iOS application? This library can only verify Firebase ID tokens.

[vkiranmaniya]

I have a firebase project configured for both android and ios. I retrieved the firebase token from Firebase Auth. Android and IOS device uses firebase Auth and as part of successfully Auth, Firebase returns token to the device. The device sends that token with registration request to backend API. from there I'm verifying that id token using Kreait Firebase for authentic registration. That token only comes from firebase.

[jeromegamez]

I‘m sorry that I cannot help further, but if one works and the other doesn‘t, I currently don‘t see how I can help except asking (seemingly stupid) questions with possible issues that come to my mind :/.

If you compare the ID tokens of both, do they look similar, except for the kid header? Does the iOS application use the latest version of the iOS Client SDK?

[vkiranmaniya]

@jeromegamez I figured out the problem and there is a major bug in your library you can read my complete post and solution to the issue on https://stackoverflow.com/questions/57724796/firebase-ios-idtoken-invalid-kid-exception-in-backend-while-verifyidtoken-in can i fork and create pull request to the repo kreait/firebase?

[jeromegamez]

I don‘t appreciate the claim that this is a „major bug“ - you tried to verify a Google Identity Platform ID Token instead of a Firebase ID Token, and solved this by using the right tool to do it instead. Google Auth != Firebase Auth.

Thank you for pointing people with a similar issue to your solution on Stack Overflow - there‘s no need for a PR, using google/apiclient is the way to go :+1:

[vkiranmaniya]

@jeromegamez Still you are not getting the exact issue, the token is firebase token received from ios device. So it should be verifiable by verifyIdToken method. As you said, It was a Google Identity Platform ID Token (I confirmed), but it's also correct that it was issued by firebase, not from any other platform or sdk. The token is obtained from IOS Firebase Gmail Authentication, Then it must be a firebase token. Do you need a reproducible demo application to run?

[vkiranmaniya]

google/apiclient is the way, but my question is why not with firebase admin SDK? maybe we can investigate together and resolve it. I'm sure about the issue. I"t took a month to identify the issue on the production system and we lose hundreds of new user just because of they won't be able to register them self at least" - appreciation from the client