borysn borysn - 5 months ago 153
Java Question

firebase | Verify ID tokens using a third-party JWT library

Attempting to validate firebase id tokens using jjwt. Using GoogleCredential class to pull the private key. But I'm not sure if that's correct. Receiving an error:

JWT signature does not match locally computed signature.
Am I supposed to be using the private key here from service account json? Maybe I'm misunderstanding what ...setSigningKey(...) takes in.

public class FirebaseAuthVerifier implements AuthVerifier {

private static final Logger logger = LoggerFactory.getLogger(FirebaseAuthVerifier.class);

private FirebaseProperties fbProps;

public boolean verify(AuthToken token) throws GeneralSecurityException, IOException {
// get google credential
InputStream stream = new FileInputStream("src/main/resources/service-account.json");
ByteArrayOutputStream streamCopy = new ByteArrayOutputStream();
ByteStreams.copy(stream, streamCopy);

GoogleCredential gc = GoogleCredential.fromStream(
new ByteArrayInputStream(streamCopy.toByteArray()),
new NetHttpTransport(),

try {
} catch(Exception e) {
// log"Firebase auth token verification error: ");;
// claims may have been tampered with
return false;

return true;



You're on the right lines! The key from the service account is used when creating JWTs to send to Google/Firebase. You really don't want to put that in your APK, as any malicious individual could steal it and use it to create ID tokens as you!

When you're validating a token from Firebase, you need to check Firebase's own keys - luckily, these are public! You can grab them from - they rotate every few hours. If you look in that file you'll see it's a JSON dictionary, like this:

"8226146523a1b8894ba03ad525667b9475d393f5": "---CERT---",

The key in this is the kid field in the header of the ID token JWT - it corresponds to the key the token was signed with, meaning the cert that corresponds can be used to verify the signature.

Take a look at the (server side) docs for validating ID tokens for more.