I'm using the Admin SDK, Auth feature.
When calling admin.auth().verifyIdToken(token) and the token is expired I get the error
Firebase ID token has expired. Get a fresh token from your client app and try again. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.
With error code
auth/argument-error
First of all, should the error code not be "auth/user-token-expired"?
Second, the error code I received is not in the Admin Authentication API Errors
I have a hard time handling all firebase errors properly so I can reply with proper error messages to the consumers of my API.
Expired tokens and invalid signatures are reported with the AuthClientErrorCode.INVALID_ARGUMENT error code. It seems the value of this constant is defined as argument-error in source. This can be fixed in a future release (or alternatively update the documentation to reflect the correct value of the constant, and avoid a potentially breaking change).
There is no such error code as auth/user-token-expired in Admin SDK. Suggest you report a feature request in the Github repo if that is important to you.
Related
Firebase ID token has invalid signature
Hi all, I'm somehow new to NodeJS and I've only used Google Firebase a few times.
Now, I'm trying to verify an idToken generated using getIdToken() method whenever a user signs up or signs in. The token generation works fine but if I try to use this token to authorize a user admin.auth().verifyIdToken(idToken) on another route, I get this error Firebase ID token has invalid signature on Postman. I tried to verify the token on jwt.io as well, it gave error Invalid Signature.
I tried switching to different algorithms, some eventually made the token valid on jwt, but there is usually a VERIFY SIGNATURE box by the bottom-right which I don't really know what to fill there. Well, I've tried copying different newly generated valid tokens by jwt after changing algorithm, but I still get Firebase ID token has invalid signature from Postman.
Does anyone know what the problem may be? Please help.
The problem comes from the Firebase Emulator Auth. The Firebase-hosted Auth is unable to verify JWT token generated by the Firebase Emulator Auth.
To verify the token manually on jwt.io, you need to grab one of the public keys from google: https://www.googleapis.com/robot/v1/metadata/x509/securetoken#system.gserviceaccount.com
To choose the correct key, find the one that corresponds to your kid from jwt.io.
Paste in the correct corresponding value and now your token should verify correctly (be sure to clear out any \n characters):
For easier programmatic verification, the "JWK URI" is https://www.googleapis.com/service_accounts/v1/jwk/securetoken#system.gserviceaccount.com
Source: https://firebase.google.com/docs/auth/admin/verify-id-tokens
For some reason, verifyIdToken function throws "Firebase ID token has invalid signature" each time for valid tokens when used in Firebase Emulator locally. I fixed this problem by starting using firebase hosted auth instead of emulator auth (remove auth property from firebase.json). Also, I reported the bug to Firebase.
I agree with Genius Hawlah's answer, the problem is the Firebase Emulator Auth. As a workaround I suggest to start emulators without the Auth one with the --only flag, for example firebase emulators:start --only firestore,functions, and authenticate with a user you have in the production Authentication
TLDR;
Prefer log from dart:developer over print and debugPrint.
I was not using the emulator...
I'm new to Firebase and have experienced this, and even upvoted GeniusHawlah's as Taras Mazurkevych's answers... But couldn't find anything in the Firebase setup related to the simulator that I did.
So it happened I was testing my firebase using a truncated JWT token, printed from Dart's debugPrint (which limits truncates output). I was successful in using log from dart:developer!
I was enlightened by https://github.com/flutter/flutter/issues/22665#issuecomment-456858672.
I encountered a similar problem, figured out that by BE was pointing to the local emulator, but FE was pointing to the remote Firebase Auth (because of a bug in the code firebase.auth().useEmulator(...) wasn't called)
As you can see in the source code, the firebase-admin package behaves differently when there is an Auth emulator available. You can either not start it to begin with or make it undiscoverable by removing its address from process.env.
delete process.env.FIREBASE_AUTH_EMULATOR_HOST
Source reference:
public verifyIdToken(idToken: string, checkRevoked = false): Promise<DecodedIdToken> {
const isEmulator = useEmulator();
return this.idTokenVerifier.verifyJWT(idToken, isEmulator)
.then((decodedIdToken: DecodedIdToken) => {
// Whether to check if the token was revoked.
if (checkRevoked || isEmulator) {
return this.verifyDecodedJWTNotRevokedOrDisabled(
decodedIdToken,
AuthClientErrorCode.ID_TOKEN_REVOKED);
}
return decodedIdToken;
});
}
emragins answer is great!
One thing which emragins wrote but it wasn't clear for me is that you need to copy the whole text between
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----\n
and made replace("\n","").
The result from this operation you can paste to the JTW.io. VERIFY SIGNATURE field.
we're trying to add a new customerPaymentProfile for an existing customerProfile. we're patterning our code on the github sample provided
https://github.com/AuthorizeNet/sample-code-node/blob/master/CustomerProfiles/create-customer-payment-profile.js
the only difference is that, we don't pass CC details to our servers. instead, we pass opaqueData from frontend. on Initial customerProfile creation(with a single payment profile) it works w/c is good. but if we try to add a new paymentProfile(using a new opaqueData) we get the error code: E00114, Invalid OTS Token.
the official documentation regarding error code doesn't say much
And it seems like there's a few different cases, where it throws this error code
Using Accept.js
https://community.developer.authorize.net/t5/Integration-and-Testing/E00114-Invalid-OTS-Token/td-p/58879
https://community.developer.authorize.net/t5/Integration-and-Testing/E00114-Invalid-OTS-Token/td-p/59314
Our Case(node.js SDK)
https://community.developer.authorize.net/t5/Integration-and-Testing/Error-while-adding-new-paymentProfile-quot-code-quot-quot-E00114/td-p/69872
Others
https://community.developer.authorize.net/t5/Integration-and-Testing/Intermittent-Invalid-OTS-Token-Errors-E00114/td-p/57509
https://community.developer.authorize.net/t5/Integration-and-Testing/E00114-Invalid-OTS-Token-error-generates-while-creating-ARB/td-p/68685
We also tried to delay the transaction at least 7 seconds, before using the opaqueData maybe to allow their systems to sync as suggested here to receive the same error message.
Anyone ever encountered something like this before?
Any form of help would be highly appreciated.
We were doing something wrong, by doing trial and error(via API) to determine if a customer exists or not. hence hitting api once or twice resulting to an invalid token (error on 2nd call)
So we tried to create a customerProfile, w/ customerPaymentProfile & this will throw error if customerProfile already exist(if its a duplicate email). Whats good here, is that customerProfileId comes with the error payload.
We though of using customerProfileId from error payload, to create a new payment profile for the customer, giving us some edge by reducing one DB call on our system.
The issue with our strategy though, is that opaqueData will expire, when we use it to create customerProfile(w/ payment profile) even though the request failed.
So resolution is to save customer info in our system, and check if it's a returning customer or not. If it is, then get customerProfileId from db, and create new customerPaymentProfile on authorize.net
One could also create customerProfile first, w/o the customerPaymentProfile. if this transaction fails, then at least you haven't used the opaqueData yet and you get the customerProfileId w/o doing any query on your db. So when you try to create a new customerPaymentProfile, you won't get error code E00114 since opaqueData isn't used yet.
lessons learned the hard way for us, but hopefully it helps someone.
I am following the same code as in Examplebase class to get the JWT token and it suppose to renew the token after the token expired, but instead I am getting the following error after sometime.
below is the github link
https://github.com/docusign/eg-01-java-jwt/blob/master/src/main/java/com/docusign/example/jwt/ExampleBase.java
com.docusign.esign.client.ApiException: Error while requesting server, received a non successful HTTP code 401 with response Body: '{
"errorCode": "USER_AUTHENTICATION_FAILED",
"message": "One or both of Username and Password are invalid. Invalid access token"
}'
at com.docusign.esign.client.ApiClient.invokeAPI(ApiClient.java:1053)
at com.docusign.esign.api.EnvelopesApi.createEnvelope(EnvelopesApi.java:701)
at com.docusign.esign.api.EnvelopesApi.createEnvelope(EnvelopesApi.java:651)
Are you calling check_token before each call to the DocuSign API? The check_token method checks the token expiration and then should generate a new one if the old one is about to expire.
Since JWT tokens only last an hour, it is not too hard to create a token then debug 55 minutes later. With a 10 minute buffer time, line 37 in the code should be triggered to create a new token at that time.
Not sure what you mean by "it suppose to renew the token after the token expired" this you need to write code for. It's not happening automatically. If you use the same token you originally obtained (and it worked before) after 8 hours it will no longer work. I am assuming that's what is happening here. You need to use the refresh token to obtain a new token at that point.
Solved the Error using the answer given in the following question, please check there
Docusign API's failing after an hour
I'm trying to use the example project, but I keep getting this message:
DocuSign Exception!
Reason: 0
Error Reponse: null
I have configured everything following the instructions in the repository page.
I have tried debugging the class responsible for the HTTP Post, but so far I got nothing.
Probably you need to grant consent for the integration key to impersonate the user.
See https://github.com/docusign/docusign-java-client/issues/111#issuecomment-513537950
By default apiconnect adds security to be required on all the paths. How can I allow a hit on a path without requiring authentication first?
I've tried unchecking the "Use API security definitions" in the Security section of on my User.count path, but when I use the browser on the URL https://localhost:4002/api/Users/count I get back
Error
401 Authorization Required
code: AUTHORIZATION_REQUIRED
Error: Authorization Required
at D:\PeteSoft\node\test3\node_modules\loopback\lib\application.js:433:21
at D:\PeteSoft\node\test3\node_modules\loopback\lib\model.js:359:7
at D:\PeteSoft\node\test3\node_modules\loopback\common\models\acl.js:536:16
at D:\PeteSoft\node\test3\node_modules\async\dist\async.js:3888:9
at D:\PeteSoft\node\test3\node_modules\async\dist\async.js:473:16
at iteratorCallback (D:\PeteSoft\node\test3\node_modules\async\dist\async.js:1064:13)
at D:\PeteSoft\node\test3\node_modules\async\dist\async.js:969:16
at D:\PeteSoft\node\test3\node_modules\async\dist\async.js:3885:13
at D:\PeteSoft\node\test3\node_modules\loopback\common\models\acl.js:518:17
at D:\PeteSoft\node\test3\node_modules\loopback\common\models\role.js:447:21
at process._tickCallback (internal/process/next_tick.js:61:11)
How can I get the count returned instead of the Authorization Required error?
If you are using the free version, you have to include the IBM client Id (and IBM client secret is optional)..
However, the Authorization error can be catched, so if you properly configure the catch to capture that error, you could work withouth the IBM Client id.. (it is a bad practice, but might solve your problem).
Catch Auth Error
If you want to work with out those keys, you have to buy the product, and in the Design Tab, it will allow you to remove it...