I am authenticating my users with Firebase, and using the token exchange API to retrieve a tapkey token.
The issue I am having is that the Firebase certificate to authenticate the token expires regularly, as explained on the Firebase website:
Finally, ensure that the ID token was signed by the private key corresponding to the token's kid claim. Grab the public key from https://www.googleapis.com/robot/v1/metadata/x509/[email protected] and use a JWT library to verify the signature. Use the value of max-age in the Cache-Control header of the response from that endpoint to know when to refresh the public keys.
The max age for the current Firebase certificates is 22963 seconds (as I am writing this, just over 6 hours) and the process to upload a new public key to Tapkey is a manual one.
I'm considering writing a script to download a new certificate when the old ones expires, and extract the public key. Does Tapkey have an API endpoint I could use to post my updated public key to, or is there another approach I can take here?
Thanks
Currently there is no public api for updating a public key, but Tapkey is able to use a Firebase oidc discovery document url instead of public keys. If configured, Tapkey would automatically handle such key rollovers.
Firebase discovery document urls usually looks like https://securetoken.google.com/[firebase-project-id]/.well-known/openid-configuration.
However, this feature is not publicly available at this time. Send a request for activating the feature to Tapkey Support and they will enable it for you.