[Feature]: Verify id tokens

[Lxstr]

Is your proposal related to a problem?

Hi Asif, would be great to be able to use the function:
decoded_token = auth.verify_id_token(id_token)

Describe the solution you'd like.

Be able to acces the decoded token claims:
{
  'iss': 'https://securetoken.google.com/project-id',
  'aud': 'project-id',
  'auth_time': 1622574389,
  'user_id': 'abcdefgh1234567890',
  'sub': 'abcdefgh1234567890',
  'iat': 1622574390,
  'exp': 1622577990,
  'email': '[email protected]',
  'email_verified': True,
  'firebase': {
    'identities': {
      'email': ['[email protected]']
    },
    'sign_in_provider': 'password'
  }
}

Describe alternatives you've considered.

https://firebase.google.com/docs/auth/admin/verify-id-tokens#web

Additional context.

Trying to get the expiry timestamp in order to check if i need to refresh the users idToken. Then I would set up requirement to pass idToken as extra security layer

[github-actions]

Hello @Lxstr , thank you for submitting an issue! A project committer will shortly review the issue.

[AsifArmanRahman]

Hey @Lxstr.

I actually need your opinion on how this should be done. As mentioned here Verify ID tokens using a third-party JWT library, should I procced with all the checks to verify it? Or do it simply by retrieving the public key for the kid in the headers and verify it using the retrieved public key.

[Lxstr]

I wasn't sure if we had to actually verify it, I thought could just call the api and use the response, but I really have not much of an idea of what is correct here. I am only coming from perspective of a serverside app.

I managed to wrangle something from AI after some back an forth, could this be an option?

url = f"https://identitytoolkit.googleapis.com/v1/accounts:lookup?key={firebase_project_id}"

payload = {
    "idToken": id_token,
    "returnSecureToken": True
}

response = requests.post(url, data=json.dumps(payload))

if response.ok:
    user_info = response.json()["users"][0]
    decoded_token = base64.urlsafe_b64decode(id_token.split(".")[1] + "==").decode("utf-8")
    token_info = json.loads(decoded_token)
else:
    error_message = response.json()["error"]["message"]
    print(f"Error verifying ID token: {error_message}")

[AsifArmanRahman]

I haven't tested it yet, but by the looks of it, it seems like the v1 endpoint for Get Account Info which is used in get_account_info, and it doesn't return decoded claims stored in the id_token

[Lxstr]

Awesome, thanks for your hard work! Hopefully, this will be handy additional feature for people using the token passing feature. Although, in hindsight I'm not sure if using this as an extra layer in my case (server side) is truly needed so I'll maybe write about it and see if there's some feedback.