Expand description
Fetching and caching Google’s X.509 signing certificates used to verify Firebase session cookies.
Session cookies are verified against a different key set than ID tokens:
https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys,
which returns a flat { "<kid>": "<PEM-encoded X.509 certificate>" }
object rather than a JWK Set. This was confirmed by inspecting both the
official Node.js and Python Admin SDKs (COOKIE_CERT_URI /
ID_TOKEN_CERT_URI in token-verifier.ts / _token_gen.py) and by
fetching the endpoint directly, since a Firebase-Admin-SDK-agnostic RS256
JWK Set is also published for ID tokens at a different URL and it would
be easy to wrongly assume both token types share one key set.
Structs§
- Session
Cookie Cert Cache - Fetches and caches the X.509 certificates Google publishes for verifying Firebase session cookies.