ASP.NET Core validate Firebase Auth emulator JWT

Question

I'm trying to validate a JWT issued by the Firebase Auth emulator. The following code snippet is working fine for production apps, but I can't figure out how to modify it so it also works with the Firebase Auth emulator.

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
    options.Authority = "https://securetoken.google.com/<project id>";
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidIssuer = "https://securetoken.google.com/<project id>",
        ValidateAudience = true,
        ValidAudience = "<project id>",
        ValidateLifetime = true
     };
});

I tried the following options:

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
    options.RequireHttpsMetadata = false;
    options.Authority = "http://localhost:9099";
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidIssuer = "[email protected]",
        ValidateAudience = true,
        ValidAudience = "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
        ValidateLifetime = true,
    };
});

But I keep running into the following error:

Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[3]
[dotnet-start]       Exception occurred while processing message.
[dotnet-start]       System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
[dotnet-start]        ---> System.IO.IOException: IDX20807: Unable to retrieve document from: 'System.String'. HttpResponseMessage: 'System.Net.Http.HttpResponseMessage', HttpResponseMessage.Content: 'System.String'.
[dotnet-start]          at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
[dotnet-start]          at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
[dotnet-start]          at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)

I believe that the issuer and audience options are correct but I can't find the correct value for the authority option. Does anyone know the correct options to make this work with the Firebase Auth emulator?

Answer 1

I too tried various combinations of settings resulting in both the OP's error and just plain ol' HTTP-401's.

For me, it turns out the trick was realizing that the Firebase emulator doesn't sign the token (and sets the alg header value to none). This means I just needed to set TokenValidationParameters.RequireSignedTokens to false, after which it worked.

The following code is what I ended up with (using a flag in my settings to control the use of the emulator):

services.AddAuthorization()
        .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddJwtBearer(options => {
            options.Authority = _AuthenticationSettings.Authority;  // Set to "https://securetoken.google.com/demo-project/"
            options.Audience = _AuthenticationSettings.Audience;    // Set to "demo-project"

            var validationParams = options.TokenValidationParameters;
            validationParams.ValidIssuer = options.Authority;
            validationParams.ValidateIssuer = true;

            if (_AuthenticationSettings.UseEmulators) {
               validationParams.RequireSignedTokens = false;
            }
         });

As an aside, note that prefixing the project name with "demo-" tells the Firebase SDK that it is a local, emulated project and removes the need to create a project within your Firebase console (great for avoiding conflicts between developer-specific test data).