How to create and how to verify Firebase ID token using private key in Cloudflare Workers

[step135]

Any advice?

[panva]

I'd love to help you but not without substantial effort on your end better explaining things in detail.

[step135]

To verify ID token I have following code that only works in Node:

const jwt = "xxxx.xxxx.xxxx"
const algorithm = 'HS256'
const pkcs8 = "-----BEGIN PRIVATE KEY-----...."
const ecPrivateKey = await jose.importPKCS8(pkcs8, algorithm)

let d = await jose.jwtVerify(jwt, ecPrivateKey)

[step135]

It is unhelpful because it is using public key and not private key.

[panva]

In that case I can only refer you back to #631 (comment)

[step135]

Why is it working in Node and not in Cloudflare Workers?

I can not do much effort if you don't do effort with documentation that is not helping me in this case.

[panva]

Why is it working in Node and not in Cloudflare Workers?

Because they're different crypto runtimes with different prerequisites and quirks. For instance the importPKCS8 documentation clearly states that the alg argument is only applicable in WebCryptoAPI runtimes, e.g. CF Workers, not Node. Then, Node.js crypto automatically extracts public keys from private ones when verifying, WebCryptoAPI doesn't.

Generally speaking more than single simple sentenses are needed from you if you want to get any help. For instance you have yet to provide any actual executable code sample, stack traces, context, links to docs explaining what and why you're doing.

To a very clear recent issue with accepted guidance about how to verify Firebase assertions you're responding with nonsense about private keys being used. Furthermore it is not clear if you mean private keys or secrets because you're mixing up PKCS8 (a format to represent private keys), jwtVerify (an operation that needs a public key or a symmetric secret), HS256 which is a symmetric HMAC-based algorithm, in the other one-line issues you've opened you mentioned ES256 which is an ECDSA based algorithm.

Again, context matters if you want to get help and you're providing none. If you have suggestions for improving the documentation then please open a PR.