traefik-jwt-plugin icon indicating copy to clipboard operation
traefik-jwt-plugin copied to clipboard
verified publisher icon traefik-plugins

Validate Firebase Keys

Open PierreSnell opened this issue 1 year ago • 0 comments

From the firebase documentation: https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library

we would have to get the certificates from: https://www.googleapis.com/robot/v1/metadata/x509/[email protected]

to be able to validate the tokens.

However, when trying to plug it in with Kubernetes and the Traefik helm chart (Traefik v3, plugin v0.7.1):

  • Unable (token validation failed) to use directly the certificates from the Google URL... I had to manually extract the public key from the certificate.
  • Unable (token validation failed) to use directly the google link
  • The keys are changing... so - 1 has to be redone and redeployed and -2 couldn't help :'(

Here is the config I'm using :

const traefikHelmChart = new k8s.helm.v3.Chart('traefik',
        {
            chart: 'traefik',
            namespace: traefikNamespace.metadata.name,
            fetchOpts: { repo: 'https://traefik.github.io/charts' },
            values: {
                ..., // Many options for traefik
                ..., // Many options for traefik
               experimental: { 
                   plugins: { 
                       'traefik-jwt-plugin': {
                            moduleName: 'github.com/traefik-plugins/traefik-jwt-plugin',
                            version: 'v0.7.1'
                       }
                   }
               }
            }
        },
        { provider: provider, dependsOn: traefikNamespace }
    )

    const traefikFirebaseTokenValidator = new k8s.apiextensions.CustomResource('traefik-firebase-token-validator',
        {
            apiVersion: 'traefik.io/v1alpha1',
            kind: 'Middleware',
            metadata: { name: 'traefik-firebase-token-validator', namespace: traefikNamespace.metadata.name },
            spec: {
                plugin: {
                    'traefik-jwt-plugin': {
                        JwtHeaders: { 'user_id': 'sub' },
                        JwtQueryKey: 'jwtToken',
                        Keys: [
                            // THIS SHOULD WORK BUT IT DOES NOT 
                            // 'https://www.googleapis.com/robot/v1/metadata/x509/[email protected]',
                           
                             //  THIS DOESN'T WORK AS WELL 
                            // '-----BEGIN CERTIFICATE-----\nMIIDHTCCAg... ... ... -----END CERTIFICATE-----\n',
                            
                            // THIS WORK BUT IT'S TOO MUCH MANUAL WORK AND REDEPLOYMENT
                            // Extracted (in python) from the google certificates (the public key is inside the certificate)
                            '-----BEGIN PUBLIC KEY-----\nMIIBIjANBgk.... ... ... ... -----END PUBLIC KEY-----\n',
                        ],
                        Alg: 'RS256',
                        PayloadFields: [ 'iss', 'aud', 'auth_time', 'user_id', 'sub', 'iat', 'exp', 'email', 'email_verified', 'firebase' ],                        
                        Required: 'true'
                    }
                },
            }
        },
        { provider, dependsOn: [traefikHelmChart, traefikNamespace] }
    )

Thanks in advance for any help. Have a great day :)

PierreSnell avatar May 06 '24 16:05 PierreSnell