Firebase: Error decoding custom claims on client after Facebook login

Question

I have the logic shown in "Access custom claims on the client" in my web app, with the same implementation of b64DecodeUnicode as documented here.

After a Google or Email login the custom claims in an ID Token can be base64 decoded, and I can log to the console the resulting json.

{"iss":"https://securetoken.google.com/my-app","name":"Joe Bloggs","picture":"https://lh3.googleusercontent.com/-XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/4252rscbv5M/photo.jpg","aud": ... etc.

However after a Facebook login I see the error:

Failed to execute 'atob' on 'Window': The string to be decoded is not correctly encoded.

Indeed when I manually take the 2nd part of the ID token and try to base64 decode it, it appears to be corrupted after the ? in the picture value (url).

The decoded string contains something like:

https://lookaside.facebook.com/platform/profilepic/\YLLMML͌L

But would expect the string to contain:

https://lookaside.facebook.com/platform/profilepic/?asid=

At the time of writing I'm using the latest firebase (4.12.1) and firebaseui (2.7.0) packages.

Is this a bug in Firebase, i.e. has the ID Token been incorrectly encoded? Or is my approach to decoding it at fault? Thanks in advance!

Answer 1

Seems like this is a Firebase documentation issue. When using jwt-decode to decode the token things work fine. Digging into the jwt-decode source code, the line:

var output = str.replace(/-/g, "+").replace(/_/g, "/");

is what fixes things in this case (the token in question has an '_').