Incorrect Verified status returned by Firebase Auth Admin SDK Java
See original GitHub issue[READ] Step 1: Are you in the right place? Yes
[REQUIRED] Step 2: Describe your environment
- Operating System version: MacOS 10.15.4
- Firebase SDK version: 6.12.2
- Library version: (not sure what this is)
- Firebase Product: auth
[REQUIRED] Step 3: Describe the problem
I’m migrating my application from Google Identity Toolkit to Firebase Auth. During testing I found that for newly registered and verified users, the Firebase Admin SDK for Java returns the email verification status as false even though the user has clicked the link in their email and verified themselves.
The Firebase client for web (Javascript) returns the correct email verification status (true). This is weird because the client sends the idToken to the server. So both are getting the verification status using the same idToken.
I’ve tested this by registering multiple test user accounts and it is reproducible every single time.
This is causing problems because I cannot trust the server to return the correct status. When the user sends a request, the server rejects it saying that user’s email is not verified.
The issue gets resolved if the users logs out and logs in again. Then both client and server return the status as true. But I don’t see a point in forcing the user to log out and log in again.
Relevant Code:
FirebaseToken decodedToken;
try {
decodedToken = FirebaseAuth.getInstance().verifyIdToken(gtoken);
} catch (FirebaseAuthException e) {
e.printStackTrace();
logger.severe("FirebaseAuthException exception thrown.");
throw new UnauthorizedException(e);
}
if (decodedToken == null) {
return null;
}
String emailId = decodedToken.getEmail();
logger.info("Firebase user emailId : " + emailId);
boolean isVerified = decodedToken.isEmailVerified();
logger.info("isVerified : " + isVerified); // prints false
Please let me know if I’m missing something.
Issue Analytics
- State:
- Created 3 years ago
- Comments:14 (6 by maintainers)
Top GitHub Comments
@deepfriedbrain I’m fairly confident such a configuration does not exist at the moment. Ideally you’d need something like a Functions trigger that runs whenever a user account is verified (which sounds like a great feature request for Functions btw). Can you use
getIdTokenResult(true)
in your client app to side-step this issue?@bojeil-google do you have any suggestions?
@hiranya911 Thank you for your response. What you said makes sense. I looked up the client code again and it gets the verification status from User object and not the token.
Is there a configuration that could force log out the user from the application the moment their email address was verified? As such, my client won’t know that the user has been verified because the email verification happens completely outside of my application. I knew the API to force refresh the token, but my application won’t know when to force it.
I’m using the default email action handlers. I can look at building custom email handlers later and probably I can have a button that logs the user out. But right now Google Identity Toolkit email / password registration has been disabled and I need to migrate out urgently.