FirebaseIdToken::Signature.verify(token) returns nil, however the certificate does exist

[omartorresrios]

Hi, this is a great gem.

I want to know if anyone could help me with this issue. When I try to verify a token I get nil, but the certificate does exist.

From my Firebase SDK file I am putting the private_key field because with the others it does not work.

Thanks!

[pierrea]

I'm not sure if the private_key issue is relevant to the first issue of receiving nil when attempting to verify a token. What exactly are you doing when verifying the token?

[cfanpnk]

I spent almost a week on this issue. It turns out this is caused by the expired token. If the token is expired, the kid from the JWT header somehow will return a value that doesn't exist in the public keys (https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com).

The only reason I can figure this out is by looking at how firebase admin sdk is implemented in other languages: https://github.com/firebase/firebase-admin-node/blob/5d72c1b40ef9383060d500e4f08678cb37ab8c0e/src/auth/token-verifier.ts#L237
Notice that if kid doesn't exist in public keys, the error message will say something like Most likely the token is expired

So here is my solution:

1. Use verify! to raise an exception
2. Rescue FirebaseIdToken::Exceptions::CertificateNotFound and return 401
3. The client app will refresh the token if expired

Hope this can help other people who ran into this issue. Firebase really needs to document this well.

[fschuindt]

I've added explanations about this on the README. Thank you, folks!