Verify Firebase ID Token Using Fuel PHP

This is a simplistic approach to use a PHP Framework (Fuel PHP) instead of Plain PHP.

Frameworks often have better mechanisms to handle web requests. For example, you can easily create a RESTful server and test it using REST Client such as Postman (refer the above screenshot). Install Postman REST Client for Chrome here.

1) Create Fuel PHP Project and Add PHP-JWT Library to the project

If your hosting provider includes softaculous in their services, read this page to quickly create Fuel PHP Project on your web site, https://php-steps.blogspot.com/2018/10/install-fuelphp-via-softaculous.html .

2) Write the PHP script

filename: ./fuel/app/classes/controller/verifytoken.php

<?php header("Access-Control-Allow-Origin: *"); require 'phpjwt/JWT.php'; require 'phpjwt/SignatureInvalidException.php'; require 'phpjwt/ExpiredException.php'; use \Firebase\JWT\JWT; class Controller_VerifyToken extends Controller_Rest { // default format protected $format = 'json'; public function get_index() { $isVerified=false; $jwt=Input::get('token'); $tks = explode('.', $jwt); list($headb64, $bodyb64, $cryptob64) = $tks; try{ $header = \Firebase\JWT\JWT::jsonDecode(Firebase\JWT\JWT::urlsafeB64Decode($headb64)); $kid=$header->kid; }catch (Exception $e){ //die($e); $kid=""; } $strPublicKeys = file_get_contents("https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"); $jsonPublicKeys = json_decode($strPublicKeys, true); if(isset($jsonPublicKeys[$kid])){ $publicKey = $jsonPublicKeys[$kid]; try{ $decoded = JWT::decode($jwt, $publicKey, array('RS256')); }catch (\Exception $e){ // die($e); $decoded =""; } }else{ $decoded =""; } if($decoded!=""){ $isVerified=true; } return $this->response(array( 'content' => $isVerified, )); } }

If you do not want to use PHP Framework, read this page to create Plain PHP script codes, https://php-steps.blogspot.com/2018/05/verify-firebase-id-token-using-plain.html .

Verify Firebase ID Token Using Plain PHP Script Codes

1) Add PHP-JWT Library to your PHP project.

Use composer, or add the library manually.

To use composer, follow the guide here, https://firebase-php.readthedocs.io/en/latest/overview.html.

To add the library manually, download the php-jwt library from https://php-download.com/ .

For example, if you want to download version 4, (https://php-download.com/downloads/download?vendor=firebase&package=php-jwt&version=4.0.0.0&downloadType=REQUIRE)

Alternatively, you can download php-jwt library from here, (https://drive.google.com/open?id=1IHUWJQTKEy1hjKLyIICJj0ITBXaDNTkI ).

Unzip the package, find the folder php-jwt and copy the folder to your project.

the php-jwt is added to the project folder phpjwtdecode

2) Write the PHP script

filename: phpjwtdecode.php

<html> <style> div{ width:400px; color:red; padding: 3px; word-break: break-all; word-wrap: break-word; } </style> <body> <?php require 'php-jwt/src/JWT.php'; require 'php-jwt/src/SignatureInvalidException.php'; require 'php-jwt/src/BeforeValidException.php'; require 'php-jwt/src/ExpiredException.php'; use \Firebase\JWT\JWT; function decode($jwt){ //echo "token:".$jwt; //echo "<br/>"; try{ $tks = explode('.', $jwt); list($headb64, $bodyb64, $cryptob64) = $tks; $header = \Firebase\JWT\JWT::jsonDecode(Firebase\JWT\JWT::urlsafeB64Decode($headb64)); $kid=$header->kid; }catch (Exception $e){ $kid=""; } $strPublicKeys = file_get_contents ("https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"); $jsonPublicKeys = json_decode($strPublicKeys, true); if(isset($jsonPublicKeys[$kid])){ $publicKey = $jsonPublicKeys[$kid]; try{ $decoded = JWT::decode($jwt, $publicKey, array('RS256')); }catch (Exception $e){ // die($e); $decoded =""; } }else{ $decoded =""; } //var_dump($decoded); echo "<div> Your decoded token codes:<br/>"; echo json_encode($decoded); echo "</div> "; } ?> <?php if (isset($_GET["token"])){decode($_GET["token"]);}?> <hr/> <form action="phpjwtdecode.php" method="GET"> Enter your token: <br/> <textarea name="token" rows="20" cols="50"> <br/> <input type="submit"> </form> </body> </html>

3) Execute

FURTHER READING:
https://firebase-php.readthedocs.io/en/stable/authentication.html

How To Decode Firebase JSON Web Token (JWT) Online

jwt.io provides a page to help verify Firebase ID Token

Firebase ID tokens on clients

When a user or device successfully signs in, Firebase creates a corresponding ID token that uniquely identifies them and grants them access to several resources, such as Firebase Realtime Database and Cloud Storage. You can re-use that ID token to identify the user or device on your custom backend server. To retrieve the ID token from the client, make sure the user is signed in and then get the ID token from the signed-in user.

(Reference: https://firebase.google.com/docs/auth/admin/verify-id-tokens )

Firebase ID token example

The above screenshot shows an example of Firebase Id Token (JWT) decoded by jwt.io

How to verify using jwt.io?

1) Paste Firebase Id Token and get the kid value

2) Go to GoogleApis website and find the matching certificate value

(https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com)

3) Copy and paste the certificate value (in plain text without "\n") to jwt.io website

4) You shall get the Signature Verification Status. (it means the token is verified as a true message that comes from firebase)

NEXT: Verify Firebase ID Token Using Plain PHP Script Codes

FURTHER READING:
https://www.sitepoint.com/php-authorization-jwt-json-web-tokens/
https://www.quora.com/How-can-I-validate-the-JWT-token-in-PHP