Firebase JWT tokens

[davidmartos96]

Would it be possible to add support for validation of Firebase generated auth JWT tokens?
Unfortunately those tokens are not always generated with the same private key, so to verify them, the public key needs to be fetched at run time.

I'm not sure if there would be a way to implement this in a general way for other providers, but Firebase being one of the most popular BaaS, it might be worth adding a special way of handling it to simplify the auth flow.

More information here:

https://firebase.google.com/docs/auth/admin/verify-id-tokens?hl=en#verify_id_tokens_using_a_third-party_jwt_library

[alco]

Hey @davidmartos96 👋

Thanks for the request! I've converted it from an issue to a discussion.

To your point, Firebase implements the JWK standard by including kid in the JWT header and providing an endpoint where its public keys can be fetched from. As a matter of fact, we have an internal issue for implementing key lookup at runtime. So this capability can work in a generic fashion and support not only Firebase but other providers that follow the RFC.

VAX-690 is the relevant internal issue.

[davidmartos96]

@alco I didn't know about JWK, thanks for the information! Glad to hear it is being considered