I am using firebase auth and functions for my project. My database api is with a different provider. I need to make some calls to my database from functions as "admin". My server is set up to verify firebase's jwt tokens via following config (custom verification, can't use firebase admin):
{
"type":"RS256",
"jwk_url":"https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com",
"audience":"<firebase-project-id>",
"issuer":"https://securetoken.google.com/<firebase-project-id>"
}
This verifies ID Tokens correctly, however fails to parse custom tokens created by admin.auth().createCustomToken with following error:
Could not verify JWT: JWSError JWSInvalidSignature
Hence I can't use custom tokens to authenticate my cloud functions unless I can verify them somehow?
This is how my function token is generated:
const uid = "function-worker";
const claims = {
"https://hasura.io/jwt/claims": {
"x-hasura-default-role": "function",
"x-hasura-allowed-roles": ["function"],
"x-hasura-user-id": uid,
},
};
const jwt = await admin.auth().createCustomToken(uid, claims);
Generated jwt is then send to my hasura server as per https://github.com/hasura/graphql-engine/tree/master/community/sample-apps/firebase-jwt
Following guide above works for id tokens, but not for custom tokens. More detailed explanation for how hasura server handles jwt verification can be found here https://github.com/hasura/graphql-engine/blob/dcab20a5ee388ebd754a7828de1309a3a2e0eaee/docs/graphql/manual/auth/authentication/jwt.rst#generating-jwt-config
You can use the Firebase REST API to generate an id token, server side. https://firebase.google.com/docs/reference/rest/auth