I added Firebase so that clients can authenticate directly from the client of the web application (browser). I am using firebase-web package and it works great. I see in my browser that I am getting a user object with user information, including idToken .
I need to then authenticate this user on my server, which is python django. In the Firebase docs, I found a practical guide for what I'm trying to do, namely check the id token .
Since they do not have a supported Firebase sdk for python, I need to use a third-party solution. I came in the python-jose package after I found it on jwt.io. An example looks simple enough:
jwt.decode(token, 'secret', algorithms=['RS256'])
This is my first time using JWT. I do not know what to use for 'secret' . I tried to insert my token as token and the web API key from the Firebase console for secret , but got this error:
jose.exceptions.JWKError: RSA key format not supported
I also tried the JWT debugger , which seems to read most of my id token correctly, but the signature check looks for public and / or private keys that, like 'secret' , elude me.
I really don't understand how to find this secret, and how to check the JWT identifier marker in general. Information about Firebase docs (third-party section):
Finally, make sure that the identifier token has been signed with the private key corresponding to the baby's requirement. Take the public key from https://www.googleapis.com/robot/v1/metadata/x509/ securetoken@system.gserviceaccount.com and use the JWT library to verify the signature. Use the max-age value in the Cache-Control header of the response from this endpoint to know when to update public keys.
I tried pasting all json blob from this googleapis URL into the JWT debugger, but I still get an "invalid signature" warning. I do not understand how to use this public key.
Should python-jose work for this approach? If so, what should I use for secrecy? If not, can someone point me in the right direction?
Thanks.