Apps Script Verify Firebase ID tokens using a third-party JWT library

Firebase ID tokens on clients

When a user or device successfully signs in, Firebase creates a corresponding ID token that uniquely identifies them and grants them access to several resources, such as Firebase Realtime Database and Cloud Storage. You can re-use that ID token to identify the user or device on your custom backend server. To retrieve the ID token from the client, make sure the user is signed in and then get the ID token from the signed-in user.

(Reference: https://firebase.google.com/docs/auth/admin/verify-id-tokens )

Firebase ID token example

The following is an example of Firebase Id Token (JWT)  that has been pasted to jwt.io and got itself decoded by jwt.io

How to verify using jwt.io? 

Read here: https://programming-steps.blogspot.com/2017/04/how-to-verify-firebase-id-tokens-using.html

Verifying Firebase ID using Google Apps Script with jsrsasign JWT Library

/* ********* 1) If your Firebase client app communicates with a custom backend server, you might need to identify the currently signed-in user on that server. 2) To do so securely, after a successful sign-in, send the user's ID token to your server using HTTPS. 3) Then, on the server, verify the integrity and authenticity of the ID token and retrieve the uid from it. 4) You can use the uid transmitted in this way to securely identify the currently signed-in user on your server. ********* */ /**********/ /* ... after a successful sign-in, send the user's ID token to your server using HTTPS ... /* Example JS codes to get Id Token */ /* refer https://firebase.google.com/docs/auth/admin/verify-id-tokens */ /* firebase.auth().currentUser.getIdToken(true).then(function(idToken) { //call this script var data = null; var xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === 4) { console.log(this.responseText); } }); xhr.open("GET", "https://script.google.com/macros/s/<this app script id>/exec?cmd=vfyidtoken&idtoken=<firebase id token>"); xhr.send(data); }).catch(function(error) { }); */ /**********/ /* jsrasign jwt library */ /* refer https://kjur.github.io/jsrsasign/ */ var navigator = {}; var window = {}; eval(UrlFetchApp.fetch('https://kjur.github.io/jsrsasign/jsrsasign-latest-all-min.js').getContentText()); /**********/ /* ... on the server, verify the integrity and authenticity of the ID token and retrieve the uid from it ... /* verify id token */ function verifyToken(strToken){ /* strToken comes from Firebase Token after successful login*/ //strToken='eyJhbGciOiJSUzI1NiIsImtpZCI6IjE1ZTU4OWU1NGFiOGNlZWE1ZjNhMTJkZmU5YWY0NGExYWJlZjgyZTcifQ.eyJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vbXlwcm9qZWN0MS1kM2I0ZCIsImF1ZCI6Im15cHJvamVjdDEtZDNiNGQiLCJhdXRoX3RpbWUiOjE1MTYyNTU5NjksInVzZXJfaWQiOiJJenNmWVpFOWk4U3dUNXNwUUtTT2liSzU1d20xIiwic3ViIjoiSXpzZllaRTlpOFN3VDVzcFFLU09pYks1NXdtMSIsImlhdCI6MTUxNjI1NTk2OSwiZXhwIjoxNTE2MjU5NTY5LCJlbWFpbCI6ImVlQGUuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJmaXJlYmFzZSI6eyJpZGVudGl0aWVzIjp7ImVtYWlsIjpbImVlQGUuY29tIl19LCJzaWduX2luX3Byb3ZpZGVyIjoicGFzc3dvcmQifX0.kzJ0gWhYmP3PfZ03IesFhaAGvnWK0d9W2C_SFZl_KKfbwTVeU0SZHbLWjMF6XJchVbBVmXin96WLaFAmCqY3MvGSx9xnh9l1rTswUoSd3491TpVR0yhwbRz2NYtIV9NzGz7v46MNuR_OBNxJWISk7L7rCNsORd496c9ZhsfZHy_DXiyCEeiR2zq3xdHP12QJUw14Sm4jmwljj9TmTHVBR3WUDRU4H2RTKpGh8ZKGxov2T3yeKCWGEkNvG2XGmtlp22C7eDA9qBFqeqMzd3YiPCYBgOWgnLmvOJlItyGvnM_JMv3sPDjERg2lSx-qDybFyVFdu67YJpkXe7WjWYluyQ' var objPublickeys={} var strPublicKey=''; var isValid=false; objToken=KJUR.jws.JWS.parse(strToken); objHeader=JSON.parse(objToken.headerPP); //Logger.log(objHeader.kid); var response = UrlFetchApp.fetch("https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"); if (response.getResponseCode() == 200) { objPublicKeys=JSON.parse(response.getContentText()); strPublicKey=objPublicKeys[objHeader.kid]; // strPublicKey=objPublicKeys['15e589e54ab8ceea5f3a12dfe9af44a1abef82e7']; //Logger.log(strPublicKey); isValid=KJUR.jws.JWS.verify(strToken, strPublicKey, ['RS256']); //Logger.log(isValid) } return isValid } /**********/ /* test verify id token */ function testVerifyToken(){ verifyToken("eyJhbGciOiJSUzI1NiIsImtpZCI6ImZmNTRmZjM0MTFiZmMwMDJiYTBjZDAwNzA2YmEzYmM4NTBiZWIwMmIifQ.eyJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vbm90YXJhemlwcm9qZWN0IiwiYXVkIjoibm90YXJhemlwcm9qZWN0IiwiYXV0aF90aW1lIjoxNTMzOTc3Njc0LCJ1c2VyX2lkIjoiNEI3b3dodXFIRWhFZWh0am5CM2hOOEtOMnBvMSIsInN1YiI6IjRCN293aHVxSEVoRWVodGpuQjNoTjhLTjJwbzEiLCJpYXQiOjE1MzQwNDc0ODAsImV4cCI6MTUzNDA1MTA4MCwiZW1haWwiOiJhQGEuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJmaXJlYmFzZSI6eyJpZGVudGl0aWVzIjp7ImVtYWlsIjpbImFAYS5jb20iXX0sInNpZ25faW5fcHJvdmlkZXIiOiJwYXNzd29yZCJ9fQ.esFjSlmpiymMfN9PunkDS18H2RHArosIs3PbmnSAQ2boPyEkSNgJY1W2jf_0YarWB9YJ8p9oq9MFia4HPA2-v-o25BrtJYCx_B7yh9FH22OhpYAl0NImXYkHjknLv8ldJk4t7ScsSMXkwj0K-i4-_in8795ufPeVxQ3kGexHss3BaW6aI8_FqnCJ3J4mTicFx1q6fsrJKqlo9Ka73kmr0Yc8-o8A56J9IpsyM6sqZXTbiPcvPlromInjrYmnSpVVVcMt3X0lRYUIxw4UTMHRme4rrFdjqoX_mdHj6Vm95fSwtXOHxQAZT22PpP2QCX-pe3ji07NMqiklUUtNafPpOA") } /**********/ /* web request listeners */ function doGet(e) { return handleResponse(e); } function doPost(e) { return handleResponse(e); } /**********/ /* handle web request */ function handleResponse(e) { var lock = LockService.getPublicLock(); lock.waitLock(30000); // wait 30 seconds before conceding defeat. try { var cmd = e.parameter.cmd; var output = ""; if (cmd == "vfyidtoken") { output = taskManager("vfyidtoken", e); } return ContentService.createTextOutput(JSON.stringify({ "result": "success", "content": output })).setMimeType(ContentService.MimeType.JSON); //return output } catch (e) { /*if error return this*/ return ContentService.createTextOutput(JSON.stringify({ "result": "error", "error": e })).setMimeType(ContentService.MimeType.JSON); } finally { /*release lock*/ lock.releaseLock(); } } /**********/ /* handle cmd request */ function taskManager(cmd, e) { switch (cmd) { case "vfyidtoken": var validToken=false var strIdToken = e.parameter["idtoken"] || ""; if(strIdToken!=""){ validToken=verifyToken(strIdToken) } return validToken; break; }/*switch*/ }

201704, 20170423, JWT, FIREBASE