I have a backend in PHP for a client in Android, I'm using the login by email/password provided by Firebase. I want to verify the token in the backend. I'm having some troubles that until now I could not fix. The first is a doubt, according to Firebase the header will contain a kid that must match with some public key provided by them in this site: https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com
well I have done some tests and I figured out that this kid is not always the same, that means that can be any of the public keys that should match with the kid: I've tested this in the jwt.io website and all works fine but then in the PHP code does not work. How can I know which public key should I use if the kid is encoded and for decode it I need that public key?
The second trouble I'm having is that I'm using the firebase/php-jwt library, and I'm following the docs provided by them to decode the token and it does not work, this is the code that I'm using:
<?php
require '../vendor/autoload.php';
use \Firebase\JWT\JWT;
$jwt = "token from the android client";
$key = "-----BEGIN CERTIFICATE-----\nMIIDHDCCAgSgAwIBAgIIBhyg0WUm0qIwDQYJKoZIhvcNAQEFBQAwMTEvMC0GA1UE\nAxMmc2VjdXJldG9rZW4uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wHhcNMTcw\nMjA3MDA0NTI2WhcNMTcwMjEwMDExNTI2WjAxMS8wLQYDVQQDEyZzZWN1cmV0b2tl\nbi5zeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD\nggEPADCCAQoCggEBANgrjKWwUlWeZukViyrrLS6nOWlgQnEahP/sRlVWCC2mkWdB\n9NXsE7L8ZY9uhGNBEC8KknzpeFSJFKBVfRW7onrReCuz2RPJ5tk/7ZP2naY3mLO8\nkU/aHlIYfvcmtJzlISABCLMg5RiUY1IhQDSj8kYKVTo2JhD/plZZ85xHHJ8BpHQv\nWbvtlAJ4WqG8NstOG+LoOMr8Ayi7xsPw4AyT6iHnXcFExzvVsHs/7UBkJKF4eX8L\nocbdfs8qb9T/Bua8mRUahVj9hHntoxG0TCOpV+frxBwHw+wZgig/FRod9u5FirMC\n9tjctwaf9b5pSHMhVhPTAuqg3xwMr/Wq76lCNTkCAwEAAaM4MDYwDAYDVR0TAQH/\nBAIwADAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwIwDQYJ\nKoZIhvcNAQEFBQADggEBABcOJ8zqu+RH9UXf90O2mRMY2CjiLWowIzOX2l+2aHfm\nd9QUM4EpS+E0UbmaOsiMSkxs4rWGppWPqC8Y4dypctXtzftWNMatPZyLni4zLT/t\nKDItjmaN9QrBo1XL+TUg7fw876C4G3xGldqTNgjrQwyQI1QhnNJHpbWqkjJkixX5\ndZ45E+UVoc1uw5VlbdN4/NUKQ4OOKyvHIn5dupNFOF1xrkQmEexE7NA5dENGP07j\no2XDfaOCDKiugV6vCIsQZo9BqTRJIC/3PZFfIyvxmwm5Vq9CInGX1DKS2ToasM5H\nnc5B3AxX3+6fosel/yQZaRfyy7o/FiVdj3gIF+MPe7s=\n-----END CERTIFICATE-----\n";
$decoded = JWT::decode($jwt, $key, array('RS256'));
var_dump($decoded);
?>
This script are giving me some kind of error.
I will appreciate any help.
How can i know wich public key should i use if the kid is encoded and for decode it i need that public key?
KID header is not encoded. It is a string value that represents an array key, which points to valid public key. First, you have to get the public keys JSON from https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com. Then, decode it to an array and use your KID to get the proper public key.
The second trouble I'm having is that I'm using the firebase/php-jwt library, and I'm following the docs provided by them to decode the token and it does not work
What is the error you are getting? Are you using correct algorithm? Try changing RS256 to HS256.