4

I'm trying to validate a JWT issued by the Firebase Auth emulator. The following code snippet is working fine for production apps, but I can't figure out how to modify it so it also works with the Firebase Auth emulator.

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
    options.Authority = "https://securetoken.google.com/<project id>";
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidIssuer = "https://securetoken.google.com/<project id>",
        ValidateAudience = true,
        ValidAudience = "<project id>",
        ValidateLifetime = true
     };
});

I tried the following options:

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
    options.RequireHttpsMetadata = false;
    options.Authority = "http://localhost:9099";
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidIssuer = "[email protected]",
        ValidateAudience = true,
        ValidAudience = "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
        ValidateLifetime = true,
    };
});

But I keep running into the following error:

Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[3]
[dotnet-start]       Exception occurred while processing message.
[dotnet-start]       System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
[dotnet-start]        ---> System.IO.IOException: IDX20807: Unable to retrieve document from: 'System.String'. HttpResponseMessage: 'System.Net.Http.HttpResponseMessage', HttpResponseMessage.Content: 'System.String'.
[dotnet-start]          at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
[dotnet-start]          at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
[dotnet-start]          at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)

I believe that the issuer and audience options are correct but I can't find the correct value for the authority option. Does anyone know the correct options to make this work with the Firebase Auth emulator?

Improve this question
2
  • I disabled the validation on debug builds as a workaround Commented Aug 31, 2021 at 13:34
  • for me, i made two seperate firebase projects, one points to prod and one points to dev. Commented Oct 4, 2021 at 15:40

2 Answers 2

Reset to default
4

I too tried various combinations of settings resulting in both the OP's error and just plain ol' HTTP-401's.

For me, it turns out the trick was realizing that the Firebase emulator doesn't sign the token (and sets the alg header value to none). This means I just needed to set TokenValidationParameters.RequireSignedTokens to false, after which it worked.

The following code is what I ended up with (using a flag in my settings to control the use of the emulator):

services.AddAuthorization()
        .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddJwtBearer(options => {
            options.Authority = _AuthenticationSettings.Authority;  // Set to "https://securetoken.google.com/demo-project/"
            options.Audience = _AuthenticationSettings.Audience;    // Set to "demo-project"

            var validationParams = options.TokenValidationParameters;
            validationParams.ValidIssuer = options.Authority;
            validationParams.ValidateIssuer = true;

            if (_AuthenticationSettings.UseEmulators) {
               validationParams.RequireSignedTokens = false;
            }
         });

As an aside, note that prefixing the project name with "demo-" tells the Firebase SDK that it is a local, emulated project and removes the need to create a project within your Firebase console (great for avoiding conflicts between developer-specific test data).

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Also, if you are wanting to access the emulator running locally on your computer using FirebaseAuth, make sure you set this environment variable. Environment.SetEnvironmentVariable("FIREBASE_AUTH_EMULATOR_HOST", "127.0.0.1:9099");
0

I think I ran into similar error as described here.

I solved it by following this implementation for the service configuration. Seems to be working now without problems.

Let me know if it works for you too, or you were able to solve it in some other way.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.