Search code examples

Cloud Endpoints + Firebase Admin SDK: authenticating users via their FirebaseUser tokens

I have build a mobile backend for my android application using google cloud endpoints (version 1, using android studio). I wish to authenticate my users via email/password, so I am using Firebase Authentication to do so. The Firebase Authentication sdk allows me to get each user's token on the client side (in android), and the firebase admin sdk allows me to check the validity of a token on the backend. I understand that in cloud endpoints I can provide my own custom authenticator (see: Google Cloud Endpoints and user's authentication), and I plan to call the firebase admin sdk within my custom authenticator to verify the user's presented token.

My problem is, since I am using google cloud endpoints to build my backend, I do not know where to insert the code to do the initialization of the firebase admin object that is required before I can verify any tokens. In a regular app engine environment, you would do this initialization in the init() method of the HTTPServlet (see ), but cloud endpoints hides this from you by automatically supplying a "SystemServiceServlet" as the HTTPServlet. I have tried subclassing the SystemServiceServlet and overriding the init() method, but then deployment of the endpoint to app engine fails since, apparently, creation of the android client libraries requires that there must be a SystemServiceServlet used (and it must be named "SystemServiceServlet").

I could do the initialization of the firebase admin app in each of the api methods that cloud endpoints provides (e.g., in the insert method of my api), but this seems like it would be extremely inefficient. How would I go about using the Firebase admin sdk in a backend built using google cloud endpoints?

Thanks very much for your time


  • Since I couldn't find an appropriate place to initialize the Firebase admin code within Cloud Endpoints I wrote my own server-side Java code to verify a Firebase token as per

    Here is a helper class you can use to validate a user's Firebase token and get their Firebase user uid (this code uses the jose.4.j library from to do JWT manipulation):

    public class TokenManager {
        private final static String PROJECT_ID = "your_firebase_project_id";
        private final static String AUDIENCE = PROJECT_ID;
        private final static String ISSUER = "" + PROJECT_ID;
        private final static String KEYS_URL = "";
         * Parses and verifies a FirebaseUser ID token (JWT) and returns the associated user's uid
         * @param token the firebase user's token
         * @return the firebase user UID
         * @throws UnauthorizedException if the token is invalid.
        public static String verfiyToken(String token) throws UnauthorizedException{
            JwtConsumer firstPassJwtConsumer = new JwtConsumerBuilder()
            //The first JwtConsumer is basically just used to parse the JWT into a JwtContext object.
            JwtContext jwtContext;
            try {
                jwtContext = firstPassJwtConsumer.process(token);
            } catch (InvalidJwtException e) {
                throw new UnauthorizedException(e.getMessage());
            // get the key id from the header of the JWT
            List<JsonWebStructure> list = jwtContext.getJoseObjects();
            String kid = list.get(0).getKeyIdHeaderValue();
            String keyAsString;
            try {
                keyAsString = getPublicKey(kid);
            } catch (IOException e) {
                throw new UnauthorizedException(e.getMessage());
            // decode the key into proper format
            InputStream certIs = new ByteArrayInputStream(Charset.forName("UTF-8").encode(keyAsString).array());
            CertificateFactory certificateFactory;
            try {
                certificateFactory = CertificateFactory.getInstance("X.509");
            } catch (CertificateException e) {
                throw new UnauthorizedException(e.getMessage());
            X509Certificate cert;
            try {
                cert = (X509Certificate) certificateFactory.generateCertificate(certIs);
            } catch (CertificateException e) {
                throw new UnauthorizedException(e.getMessage());
            PublicKey key = cert.getPublicKey();
            // now that we have the public key, we can verify the JWT
            JwtConsumer jwtConsumer = new JwtConsumerBuilder()
                    .setRequireExpirationTime() // the JWT must have an expiration time
                    .setMaxFutureValidityInMinutes(300) // but the  expiration time can't be too crazy
                    .setAllowedClockSkewInSeconds(30) // allow some leeway in validating time based claims to account for clock skew
                    .setRequireSubject() // the JWT must have a subject claim
                    .setExpectedIssuer(ISSUER) // whom the JWT needs to have been issued by
                    .setExpectedAudience(AUDIENCE) // to whom the JWT is intended for
                    .setVerificationKey(key) // verify the signature with the public key
                    .build(); // create the JwtConsumer instance
            JwtClaims jwtClaims;
            try {
                //  Validate the JWT and process it to the Claims
                jwtClaims = jwtConsumer.processToClaims(token);
            } catch (InvalidJwtException e)  {
                throw new UnauthorizedException(e.getMessage());
            String userUid;
            try {
                userUid = jwtClaims.getSubject();
            } catch(MalformedClaimException e) {
                throw new UnauthorizedException(e.getMessage());
            return userUid;
         * Grab the certificate corresponding to the keyid specified in the JWT
         * @param kid key id corresponding to one of the public keys listed at public keys listed at
         * @return the certificate
         * @throws IOException if the process fails
        private static String getPublicKey(String kid) throws IOException {
            URL url = new URL(KEYS_URL);
            HttpURLConnection request = (HttpURLConnection) url.openConnection();
            JsonParser jp = new JsonParser(); //from gson
            JsonElement root = jp.parse(new InputStreamReader((InputStream) request.getContent()));
            JsonObject rootobj = root.getAsJsonObject();
            String publicKey = rootobj.get(kid).getAsString();
            return publicKey;