firebase-admin-java
firebase-admin-java copied to clipboard
firebase
[FR] App Check custom token support
Is your feature request related to a problem? Please describe. For now we have to use NodeJS in order to use App Check tooling for our non-commodity android business hardware setup. We would prefer using a Kotlin/Java since it fits in our android + spring boot eco system. We are currently wrapping NodeJS Code in a cloud function which is called by our backend service which already uses the firebase admin sdk for java. So it is a really unnecassry piece of infrastructure we want to get rid of as soon as possible.
Describe the solution you'd like So far only the NodeJS Admin SDK supports to implement a custom token provider. We would appreciate that this functionality is present also in the java admin sdk
Looking forward to use custom token provisioning in java. Thank you
I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
Hi @TomBAMU, Thank you for the feature request! Adding App Check API support to Java SDK is something we have plan to work on this year. We are still at the initial planning stage and I am unable to promise a release timeline at this time. We will use this issue to keep track of any updates.
To better understand your use case, are you specifically interested in creating new app check tokens (custom attestation flow) or verifying the tokens in your Java backend?
Hi @lahirumaramba the main functionality in our use case is the creation of new app check tokens. We want an additional security on our firestore instance. This feature fits our needs and if the feature proofs resilient in production we have additional use cases which enable us to enrich security with additional verification of tokens in other java/kotlin backends.
Looking forward to your timeline updates
FWIW I managed to do this myself fairly easily using plain Java libraries, inspired by https://medium.com/trabe/validate-jwt-tokens-using-jwks-in-java-214f7014b5cf
This is in Scala/ZIO but it should be trivial to rewrite it in Java:
private val url = "https://firebaseappcheck.googleapis.com/v1beta/jwks"
private def verify(token: String): Task[Boolean] = ZIO.attempt {
val jwt = JWT.decode(token)
val provider = new UrlJwkProvider(new URL(url))
val jwk = provider.get(jwt.getKeyId)
val algorithm = Algorithm.RSA256(jwk.getPublicKey.asInstanceOf[RSAPublicKey])
try {
algorithm.verify(jwt)
true
} catch {
case _: SignatureVerificationException => false
}
}
Thank you for your patience everyone; we are still working on this, and we will let you know when this becomes available.
In the meantime, please take a look at our blog post on the recommended Firebase App Check token validation procedure. Specifically, you are not done after the signature validation. It is critical that you validate the aud and exp claims. Failing to validate the aud claim means that tokens from anyone's project can be used to access your backend, since they are also validly signed tokens, and would pass a simple signature check. We strongly recommend going through all 7 steps (step 8 being optional) outlined in the blog article to ensure that you are securely validating Firebase App Check tokens.
Please note that our stable channel, v1, is also available. You can use https://firebaseappcheck.googleapis.com/v1/jwks (instead of v1beta) to retrieve the public JWK set.
