search

traefik-plugins / traefik-jwt-plugin

Traefik plugin which checks JWT tokens for required fields. Supports Open Policy Agent (OPA) and signature validation with JWKS
Apache License 2.0
98 stars 34 forks source link

Verifying FirebaseKeys #65

Closed PierreSnell closed 7 months ago

PierreSnell commented 8 months ago

I'm trying to follow https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library so I can validate my firebase JWT tokens with this plugin.

Here is the config : 

{
  "JwtHeaders":{ "X-Subject": "sub"},
  "Keys":[ "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"  ],
  "Alg": "RS256",
  "PayloadFields":[ "iss",  "aud", "auth_time", "user_id", "sub", "iat", "exp", "email", "email_verified", "firebase" ],
  "Required": "true"
}

Using it, all my requests are giving: token validation failed But the token is valid.

However, I'm not sure if I need to provide a private key as shown on : https://jwt.io/ but if I do it raises an error saying that it couldn't extract the key.

PierreSnell commented 8 months ago

I think I found the problem.

The link https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com refers to certificate which are not public keys.

I loaded them (in python), extracted the public key, and placed it in the Keys config field and now everything is working like a charm.

Still, it would be nice to have the possibility to load the "google json certificate".

Have a great day :)