skip to Main Content

I am resolving user data using firebase for auth like so:

from firebase_admin import auth
decoded_token = auth.verify_id_token(client_id_token)
I am initializing my firebase creds with firebase_admin.initialize_app(cred)

Here cliend_id_token is a token that the client sends. However, this takes around 1 second to perform, which seems way too long. One possibility is to use a caching layer above this (lru cache, memcache) but it still seems that it should not fundamentally take so long. Looking at the the signature of verify_id_token there does not seem to be anything that stands out as something that I can pass in:

def verify_id_token(id_token, app=None):

Any thoughts on how to diagnose (or if I am missing something)?

2

Answers


  1. The problem is because that function does an http request in order to have the key to decode the jwt. In addition, because it returns info such as the email of the user, while the jwt contains only the uid as sub field of the decoded jwt, I think that it does another http request under the hood to get the user from the decoded uid.

    You should implement your custom decode function, following the docs: https://firebase.google.com/docs/auth/admin/verify-id-tokens

    Login or Signup to reply.
  2. I’m having the same issue. It’s about 200ms for me (I’m using fastapi). @EuberDeveloper – glad to hear it’s the same on node js – you saved me from testing it out.

    I wanted to mention how I got my setup working faster in case anyone would benefit.

    I’ve got Google API gateway with Firebase security defined in the swagger spec in front of a Cloud Run instance. API gateway validates the jwt (as per the swagger spec) and passes on the authorization header to the backend as a renamed header (from memory it’s X-FORWARDED-AUTHORIZATION but best to double check). This is pretty fast.

    Then in the backend you don’t need to validate the id token since it’ll already be validated by the time the request gets there. And if you send the UID along in the request to your backend as well as the idtoken in the authorization header, you can fetch users with the UID field you send. This removed that 200ms it was costing me to decode the id token.

    Note – if you want to do things like check how old a refresh token is and revoke it for some reason then you’ll still need to decode the id token.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search