Could not verify token signature.

[hrqnogueira]

[REQUIRED] Step 2: Describe your environment

• Operating System version: Windows 10 1903
• Library version: 4.2.0
• Firebase Product: auth

[REQUIRED] Step 3: Describe the problem

I am developping a Flutter app inwhich I have a Facebook Sign In flow, then I authenticate the user on Firebase. In my backend code, I am using firebase_admin to authorize client calls, validating the tokens against firebase.

The mobile part is working fine and I was able to get the ID token once the firebase authentication flow succeeded. When I send the ID token to my backend to perform the token verification, it failes with the following stracktrace:

C:\ProgramData\Anaconda3\lib\site-packages\firebase_admin\auth.py in verify_id_token(id_token, app, check_revoked)
    192     """
    193     client = _get_client(app)
--> 194     return client.verify_id_token(id_token, check_revoked=check_revoked)
    195
    196

C:\ProgramData\Anaconda3\lib\site-packages\firebase_admin\_auth_client.py in verify_id_token(self, id_token, check_revoked)
    100                              ' bool, but given "{0}".'.format(type(check_revoked)))
    101
--> 102         verified_claims = self._token_verifier.verify_id_token(id_token)
    103         if self.tenant_id:
    104             token_tenant_id = verified_claims.get('firebase', {}).get('tenant')

C:\ProgramData\Anaconda3\lib\site-packages\firebase_admin\_token_gen.py in verify_id_token(self, id_token)
    236
    237     def verify_id_token(self, id_token):
--> 238         return self.id_token_verifier.verify(id_token, self.request)
    239
    240     def verify_session_cookie(self, cookie):

C:\ProgramData\Anaconda3\lib\site-packages\firebase_admin\_token_gen.py in verify(self, token, request)
    342             if 'Token expired' in str(error):
    343                 raise self._expired_token_error(str(error), cause=error)
--> 344             raise self._invalid_token_error(str(error), cause=error)
    345
    346     def _decode_unverified(self, token):

InvalidIdTokenError: Could not verify token signature.

Steps to reproduce:

I created a simple snippet that allows me to test the problem:

>>> import firebase_admin
>>> from firebase_admin import auth as firebase_auth
>>> credentials = firebase_admin.credentials.Certificate('service_account.json')
>>> firebase = firebase_admin.initialize_app(credentials)
>>> id_token = "..."  # Extracted from my client code after firebase authentication succeeded
>>> firebase_auth.verify_id_token(id_token)

Relevant Code:

Digging a bit deeper, I found out the the verification is failing in the pkcs1.py file:

def verify(message, signature, pub_key):
    ...
    method_name = _find_method_hash(clearsig)

The method _find_method_hash() above tries to look for byte sequence specific to hashing algos using the following definition:

HASH_ASN1 = {
    'MD5': b'\x30\x20\x30\x0c\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05\x05\x00\x04\x10', 
    'SHA-1': b'\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14', 
    'SHA-224': b'\x30\x2d\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x04\x05\x00\x04\x1c', 
    'SHA-256': b'\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20', 
    'SHA-384': b'\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x02\x05\x00\x04\x30', 
    'SHA-512': b'\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03\x05\x00\x04\x40', 
}

and none of them matches the signature of the idToken I sent.

Let me know how can I help further.

Thanks!

[mbtodorov]

I am experiencing the exact same problem, except my flutter app authenticates users with Google sign in rather than Facebook. Any suggestions?

[hiranya911]

Probably 1 of 2 things are happening:

1. You token is indeed wrong or corrupted.
2. The crypto set up in your environment is somehow not correct.

Can you inspect the cause of the thrown exception and see what that contains?

[mbtodorov]

I must say that the problem is indeed unusual, but I think its no coincidence that I get an error at the exact same line as @hrqnogueira in the pkcs1.py.

I tried verifying the token with the Java Firebase admin SDK where it gave the same error 'Could not verify signature'. Does that mean that I've somehow failed to properly setup Firebase on both the client and server apps? Let me walk through a detailed description of the project setup:

Firstly on the mobile app, users log in with google sign-in:

final GoogleSignInAccount googleUser = await _googleSignIn.signIn();
final GoogleSignInAuthentication googleAuth = await googleUser.authentication;
final AuthCredential credential = GoogleAuthProvider.getCredential(
  accessToken: googleAuth.accessToken,
  idToken: googleAuth.idToken,
);
await _firebaseAuth.signInWithCredential(credential);

Then I get Firebase ID tokens like this:

FirebaseUser user = await _firebaseAuth.currentUser();
IdTokenResult token = await user.getIdToken();
print(token.token);

The mobile app is linked to Firebase following Google's instructions from here https://firebase.google.com/docs/flutter/setup
I think that users appearing on the Firebase console as I log them in from the app is a confirmation that the setup is done properly?

Then, for the backend, I have downloaded a service account private key .json file and i use it to initialize the app:

import firebase_admin
from firebase_admin import credentials
import os

cred = credentials.Certificate(os.path.join(os.path.dirname(os.path.abspath(__file__)), "firebase_credentials.json"))
firebase_admin.initialize_app(cred)

Then i try to verify the ID token which i get from Flutter like so:

from firebase_admin import auth

token = "... token from Flutter print() here"
decoded_token = auth.verify_id_token(token)

At this point I get an error:

To dig deeper into the error I will put 2 breakpoints:

• google.auth.jwt line 235
• rsa.pkcs1.py line 417

Note, how at the first breakpoint, the token's payload is indeed successfully decoded:

At the second breakpoint it tries to match the clearsig with MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 and after nothing matches, it throws an error which cascades back to the auth.verify_id_token(token) method call

[hiranya911]

That looks like an old version of google-auth. May be v1.6.0 or older? Try upgrading that and also other crypto dependencies. This looks like some issue with your crypto setup.

Also please refer to my previous comment, and share what's in the cause attribute of the raised exception.

[mbtodorov]

How can I do that?

[hiranya911]

To upgrade the dependencies use your package manager (usually pip), and install the latest version of google-auth.

cause is an attribute on InvalidIdTokenError, which should contain the original error raised by the crypto packages.

[mbtodorov]

Upgrading google-auth didn't solve the issue. Here is the cause:

[hiranya911]

Share one of your tokens so we can try to reproduce the issue (make sure the token is already expired).

[hiranya911]

@mbtodorov I don't know how but this token legitimately has an incorrect signature. I tried on a couple of different runtimes (Java, Python) and they all failed to verify the signature. I also tried verifying it via https://jwt.io, and it didn't validate there either. You can try it yourself. Here's the corresponding public key to verify against:

-----BEGIN CERTIFICATE-----
MIIDHDCCAgSgAwIBAgIIVKzVWRoMU5UwDQYJKoZIhvcNAQEFBQAwMTEvMC0GA1UE
AxMmc2VjdXJldG9rZW4uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wHhcNMjAw
NTA1MDkxOTU2WhcNMjAwNTIxMjEzNDU2WjAxMS8wLQYDVQQDEyZzZWN1cmV0b2tl
bi5zeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAOckfYh1/aaqMN8bqvoeDUailhwMUrWUw0wOknS2HLzNUaV1
LJf0HM3IQ7xBh0W+Obe1HTGNLR/Hp8G1hPKAIdpuGJjmVdNDIg2vm99X1MPi5cXN
qF9n9JO0l9KeMkkyslGIEuujYuvDXtcgK9FrdN8xxX+eb6N5aqzQSh88TaAJ+JBQ
AwCIzo2GtdNukVePBH99xCiyMdEFX5yNfK/t6criT2740fekVRw/Si1XmBE2d+Ul
tiQFuRBLH4XWy46Zb44oGkfgLmzvnQqQh/aF8NXB47TfOa+JeLgj8rnHn3LFgTkr
kq0q7AuJheofpMzCDCYJd79Eo9/rhN2EAgtY2fUCAwEAAaM4MDYwDAYDVR0TAQH/
BAIwADAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwIwDQYJ
KoZIhvcNAQEFBQADggEBAB8VhDLUgN6dNiMqs4sevFKQpixCtN8yg6qiRRMtaPQN
88VETVPXh5acaN83UOOfwtTFZWyZxpSSlWbTI/1E9JJB0GCQX2T7LKm57jHSEeQ9
mI5ybpRxlm2Jvt7n5sAFHNADSbIdFNEtnGQmh9NVdwe8Zcrzl1NALgeFtiHgvVAe
uUtKehM+YxK4daNifpkO/e4PNFWgbLJpZtdcG+z+v7DH/9Fwv0JG+Z1RkXjD32iu
iDun3U2W4C7QSnh9cOCbapfkMsXjSA9NvCqUzk1FdnqS9fd8szc389QZGZqQw8WU
hT9c2fShPT13vgZfNj7fpU2EGBoa3Zu6ybck5pzi0dE=
-----END CERTIFICATE-----

How are you obtaining this token? Are you sure it didn't get truncated or something?

[mbtodorov]

Im obtaining it from the flutter client app like so:

FirebaseUser user = await _firebaseAuth.currentUser();
IdTokenResult token = await user.getIdToken();
print(token.token);

I made sure its not truncated. The fireabase user is the result of signing in with Google Sign In.

[hiranya911]

Just tried with Node.js and got the same signature error. Looks like somehow your client app has ended up with an invalid ID token. I don't think there's anything we can do about this in this repo as the Admin SDK is behaving the way it should. Please file an issue with Firebase Support: https://firebase.google.com/support and provide details about how you obtain the ID token.

@bojeil-google do you have any thoughts before I close this off?

[hiranya911]

@mbtodorov I'm not familiar with Flutter. Do you still use Firebase client SDKs to perform the authentication, or are you using some Flutter-specific API?

[bojeil-google]

Same here, I checked the token and it has an invalid signature. If this is a one off and there is no reliable way to replicate it, then I would close this.

Most of the issues we've seen before have been due to some truncation.