package module
Version: v1.0.0 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Feb 21, 2017 License: Apache-2.0 Imports: 12 Imported by: 0


Firebase Authentication JWT Verifier

Build Status Coverage Status GoDoc stability-stable

This library follows the instructions described in verify id tokens using third-party JWT library section of the firebase documentation.

Example Usage

import (

// tokenVerifier previously initialised with fireauth.New("projectname")
func verify(r api2go.Request, tokenVerifier fireauth.TokenVerifier) error {
	token := r.Header.Get("authorization")
	userID, claims, err := tokenVerifier.Verify(token)
	if err != nil {
		return err
	r.Context.Set("userID", userID)
	r.Context.Set("claims", claims)
	return nil



Package fireauth provides ability to verify firebase authentication ID tokens

package main

import (


func main() {

	fireauth, err := fireauth.New("example project")
	if err != nil {
		log.Fatalf("%v", err)

	token, err := getToken()
	if err != nil {
		log.Fatalf("%v", err)

	userID, claims, err := fireauth.Verify(token)
	if err != nil {
		log.Fatalf("%v", err)

	log.Printf("userID %v, claims %+v", userID, claims)

func getToken() (string, error) {
	content, err := ioutil.ReadFile("testdata/token.txt")
	if err != nil {
		return "", err

	return string(content), nil




View Source
const (
	// FirebaseKeyURL Firebase key provider url
	// specified in
	FirebaseKeyURL = ""

	// IssPrefix JWT issuer prefix
	// specified in
	IssPrefix = ""
View Source
const HeaderCacheControl = "Cache-Control"

HeaderCacheControl Cache-Control field in http response header


View Source
var (
	// ErrNilToken is returned when the authorization token is empty
	ErrNilToken = errors.New("Empty authorizatin token")

	// ErrRSAVerification is missing from crypto/ecdsa compared to crypto/rsa
	ErrRSAVerification = errors.New("crypto/rsa: verification error")

	// ErrNotIssuedYet indicates that the token hasn't been issued yet
	ErrNotIssuedYet = errors.New("Token not issued yet")

	// ErrCacheControlHeaderLacksMaxAge indicates that the key server response didnt contain a max age
	// as specified by the firebase docs
	ErrCacheControlHeaderLacksMaxAge = errors.New("cache control header doesn't contain a max age")


func GetKeys

func GetKeys(tokens map[string]interface{}, keyURL string) (int64, error)

GetKeys client tokens must be signed by one of the server keys provided via a url. The keys expire after a certain amount of time so we need to track that also.


type FireAuth

type FireAuth struct {
	ProjectID string

	KeyURL    string
	IssPrefix string
	Clock     clock.Clock

	// contains filtered or unexported fields

FireAuth module to verify and extract information from Firebase JWT tokens

func New

func New(projectID string) (*FireAuth, error)

New creates a new instance of FireAuth with default values and loads the latest keys from the Firebase servers

func (*FireAuth) UpdatePublicKeys

func (fb *FireAuth) UpdatePublicKeys() error

UpdatePublicKeys retrieves the latest Firebase keys

func (*FireAuth) Verify

func (fb *FireAuth) Verify(accessToken string) (string, jwt.Claims, error)

Verify to satisfy the fireauth.TokenVerifier interface

type TokenVerifier

type TokenVerifier interface {
	Verify(token string) (userID string, claims jwt.Claims, err error)

TokenVerifier verifies authenticaion tokens



  • should extract kid from header and only verify against that key

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL