Auth: GetToken() generates invalid token (Firebase ID token has invalid signature)

[eliezedeck]

This error is likely to be related to https://stackoverflow.com/questions/44014877/firebase-id-token-has-invalid-signature in 2017.

• I am using the C++ client SDK, targetting Android platform
• I properly get a token that contains good information (when checked with https://jwt.io/)
• This token's provider is Google Sign In
• As reported on the above StackOverflow question, Email & Password provider generates a proper token
• I have an HTTPS Cloud Function that verifies this token using admin.auth().verifyIdToken()
• An exception is generated when I verify any token from the client, with the following message: Firebase ID token has invalid signature. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.

I have tried to manually verify the token, and I could not verify the token to match any keys I could find. I have tried the following keys:

• https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com
• https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com

I believe this is a bug, not a temporary issue. And I also believe this is a supported use-case, so it needs to be fixed. As reported by the StackOverflow question, this also applies to Unity.

Thanks.

[a-maurice]

Hi @eliezedeck

Thanks for the information. I will follow up with the Firebase Authentication team to see if we can figure out what the problem might be.

[justinwyer]

@a-maurice I have just started using firebase auth with a flutter application and I am running into exactly the same problem. It appear (in my case) that the token is missing part of the signature portion of the JWT.

The first token below was created in the flutter application using: https://github.com/flutter/plugins, the second was created using the web client: https://github.com/firebase/firebase-js-sdk

eyJhbGciOiJSUzI1NiIsImtpZCI6ImZmMWRmNWExNWI1Y2Y1ODJiNjFhMjEzODVjMGNmYWVkZmRiNmE3NDgiLCJ0eXAiOiJKV1QifQ.eyJuYW1lIjoiSnVzdGluIFd5ZXIiLCJwaWN0dXJlIjoiaHR0cHM6Ly9saDMuZ29vZ2xldXNlcmNvbnRlbnQuY29tLy1GQjhMbERoRlNVOC9BQUFBQUFBQUFBSS9BQUFBQUFBQUJtQS9ubGotRXd5NGx1QS9waG90by5qcGciLCJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vc3VzdS1kZXYiLCJhdWQiOiJzdXN1LWRldiIsImF1dGhfdGltZSI6MTU1NDEzMTI3NywidXNlcl9pZCI6Ikx3aUJSYmpvaXZmRDdXd3pOekFjT3JoTFVheDEiLCJzdWIiOiJMd2lCUmJqb2l2ZkQ3V3d6TnpBY09yaExVYXgxIiwiaWF0IjoxNTU0MTMxMjc4LCJleHAiOjE1NTQxMzQ4NzgsImVtYWlsIjoianVzdGluQGxpZmVhc2FnZWVrLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJmaXJlYmFzZSI6eyJpZGVudGl0aWVzIjp7Imdvb2dsZS5jb20iOlsiMTA2NTExOTYzODMxMzg0NzY5MTE2Il0sImVtYWlsIjpbImp1c3RpbkBsaWZlYXNhZ2Vlay5jb20iXX0sInNpZ25faW5fcHJvdmlkZXIiOiJnb29nbGUuY29tIn19.gHMBeEx_dCJE8ESpa1C1g210ubuMREFlVsUYhQyCeW59CKwKI_yCXY3WJ9POMrBGsGjF7IOEkgZddAb10ETdUYCLLZn2up0gPl6-Vo5waEq0Bp5f24p7LQbiIptYX-_n0jpqU7U8obUopIU96QR8goeGDnY4WcYDo_L-6ec_1mSvK9tTExIifFv-yp_lyZhf0G2CkulwQBpe2hk-
eyJhbGciOiJSUzI1NiIsImtpZCI6ImZmMWRmNWExNWI1Y2Y1ODJiNjFhMjEzODVjMGNmYWVkZmRiNmE3NDgiLCJ0eXAiOiJKV1QifQ.eyJuYW1lIjoiSnVzdGluIFd5ZXIiLCJwaWN0dXJlIjoiaHR0cHM6Ly9saDMuZ29vZ2xldXNlcmNvbnRlbnQuY29tLy1GQjhMbERoRlNVOC9BQUFBQUFBQUFBSS9BQUFBQUFBQUJtQS9ubGotRXd5NGx1QS9waG90by5qcGciLCJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vc3VzdS1kZXYiLCJhdWQiOiJzdXN1LWRldiIsImF1dGhfdGltZSI6MTU1NDExNjcwNSwidXNlcl9pZCI6Ikx3aUJSYmpvaXZmRDdXd3pOekFjT3JoTFVheDEiLCJzdWIiOiJMd2lCUmJqb2l2ZkQ3V3d6TnpBY09yaExVYXgxIiwiaWF0IjoxNTU0MTMxMDYzLCJleHAiOjE1NTQxMzQ2NjMsImVtYWlsIjoianVzdGluQGxpZmVhc2FnZWVrLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJmaXJlYmFzZSI6eyJpZGVudGl0aWVzIjp7Imdvb2dsZS5jb20iOlsiMTA2NTExOTYzODMxMzg0NzY5MTE2Il0sImVtYWlsIjpbImp1c3RpbkBsaWZlYXNhZ2Vlay5jb20iXX0sInNpZ25faW5fcHJvdmlkZXIiOiJnb29nbGUuY29tIn19.AspFg7qbFmMhM2beSaSkvqmJT2tdhxnMf-uvFwJVX53FBP5m4WbKIOAGwQz7Gr7mvmVpdbUa3kpR7qQLOEXfVlYSa7O6mVLRbzuTov5swKlqG81Djc7dodCXOevxPP5yolafcIzj7OF62d4LqLnySOD0l2tzkhQcGASlAcDkd6J3-_DSK04VbbNLqg4fTt9hnvXmEV-MFMtxMpNwS6iNYh5IYP2xMH1hffWVL9cbm7Mc4j952sd6uu5-C4bTYsZurS5I8Zx2bgJ5E6JLRPFhKmUBmgFVZh3HYxDW3SkTTMAhfIV9p5GXpa3iW6xKxAZraKF8DlpISHoFWZoMicHYYg

[alan89]

Hello @eliezedeck,

Could you provide some examples of your JWTs just like @justinwyer? That information will be used to verify what is failing and determinate if we can prevent the error somehow. In case you don't feel comfortable sharing that information here, you can open a support case .

Thanks :)

[stewartmiles]

Hi @justinwyer & @eliezedeck any update on this? Did you resolve your issue?

[eliezedeck]

Hi, unfortunately, I'm currently working on a different project and have no spare time to re-check this (it's in a completely different OS on a different drive).

To be clear, I don't think there is a way to solve this issue from our side. It has to be solved from Firebase team's side since we don't know how these tokens are generated and with which key.

@alan89, are you from Firebase team? Apparently, this issue shouldn't be hard to trace, but I don't know anything about the Firebase internals at Google's side. Tracing which internal API is the C++/Unity SDK is using should probably reveal the problem. That said, it shouldn't require us to provide our generated JWTs; while that can be done, I am currently in a situation where I can't re-generate new tokens.

[francis6425]

I'm also running into the same issue with the jwt generated from flutter and tested with a cloud function to verify it. Hope firebase can solve the issue fast.

[a-maurice]

Hi @francis6425,

We are still having some trouble getting this bug tracked down on our end. If you could file a support request via https://firebase.google.com/support, and provide that with the tokens that are having the problem, that might help us track down the issue faster.

[wens134]

I just encountered the same issue.

Created new flutter app
Add firebase_auth and google_sign_in plugin
Sign in with google
Use google access token and id token to get FirebaseUser instance
Call FirebaseUser.getIdToken()

However this id token is invalid

I have submitted a new support ticket and attached the token and screenshot
Hope can be resolved soon

[lmott337]

I also have this issue when retrieving the token in Firebase and then trying to sign in again (after a period of inactivity). Using jwt.io it does report invalid signature.

[rohantalesara]

I'm having the exact same issue, though I'm using firebase-js-sdk and not flutter. The token generated using user.getIdToken() has an invalid signature when I checked with jwt.io
I posted this issue on firebase/firebase-js-sdk#1958

[wens134]

My issue was because the id token printed out in dart console is truncated to 1000 characters.
No issue on the SDK.
It was just dart didnt print full token so half of the siganture is not printed out