question

tilutza avatar image
tilutza asked

OpenID Authentication

Hello,

I am trying to setup a Firebase authentication with Photon. Specifically, firebase has the authnority the Google Project id, and not the URL used for validation.

On the other side, Photon forcem me to fillin at the issuer a HTTPS address. Despite my effort to put the Firebase token validation, photon successully validates the token, but it throws an exception that the Authnority is not the one specified.

The error which I get is:

IDX10214: Audience validation failed. Audiences: 'api-800....'. Did not match: validationParameters.ValidAudience: '84....-pb5tsn9r286748u558shidp98e7oatjd.apps.googleusercontent.com' or validationParameters.ValidAudiences: 'null'.

Is there any way to specify separately Authority validation URL am the Actual authority?

Thanks

2 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

tilutza avatar image tilutza commented ·

PlayFab supports OpenID authentication.

Despite the documentation which explains how can you integrate this, I didn't succeed use it.

I use a JWT token created by the Google Firebase. In the login validation, I have this exception that the Audience does not match.

DX10214: Audience validation failed. Audiences: 'api-800....'. Did not match: validationParameters.ValidAudience: '84....-pb5tsn9r286748u558shidp98e7oatjd.apps.googleusercontent.com' or validationParameters.ValidAudiences: 'null'.


In the case of Google Project the audience is set to the project id. However, in in the PlayFab you can not set the audience as a non valid HTTP request. This force me to write the audience to :

https://securetoken.google.com/{projectid}

Is there any way to playfab to specify separately the HTTP used for validation of the issuer, and the actual issuer?

0 Likes 0 ·
Citrus Yan avatar image Citrus Yan tilutza commented ·

Hi, I will discuss with our product team and keep you informed.

0 Likes 0 ·
Citrus Yan avatar image
Citrus Yan answered

Hi, after discussion with our team, we think those don't look like PlayFab errors. Are you actually trying to get Photon auth working? If so, @Hamza Lazaar can you help? Thanks.

2 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

tilutza avatar image tilutza commented ·

I can not edit the original post. There is no Photon there (i missped). I am trying to access the PlayFab using the official SDK (from .net standard 2.0 in this case).

The steps are:

I have added a external Open Id Connector -> Settings -> Open ID. I named Firebase and I placed the keys and validation URL.

Then i am calling the LoginWithOpenID using the Firebase named and the JWT token that is generated from Firebase.

The error is generated from PlayFab and I suspect the reason: Firebase has the IssuerID as a project Id. In the PlayFab console you need to specify a validation URL for the Issuer (does include the project id but it starts with HTTPS).

Can you help us with this?

0 Likes 0 ·
Citrus Yan avatar image Citrus Yan tilutza commented ·

Hi, sorry for this delayed reply. After a discussion with our team, we don't believe Firebase is an identity provider or an issuer of oAuth tokens. Therefore, you cannot use PlayFab OpenId authentication with Firebase.

0 Likes 0 ·
Citrus Yan avatar image
Citrus Yan answered

Hi, I am afraid this forum is not the best place for you to get a help, you may need to turn to other forums. Anyway, I found these threads that may help you:

https://github.com/damienbod/angular-auth-oidc-client/issues/392

https://social.msdn.microsoft.com/Forums/security/en-US/5038fdda-b545-4200-96b7-82e303591c70/audience-validation-failed?forum=WindowsAzureAD

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

tilutza avatar image
tilutza answered

Hi Citrus,

Firebase issues valid JWT tokens and I was able to verify their signature. An example how to do this is: https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library

As per the official OpenID Connect documentation, JWT token are used to authenticate the requests like they are documented here

https://openid.net/developers/jwt/

The official PlayFab documentation is saying that you can authenticate an OpenID Connect account. In the Settings panel, is written clearly that you need the name and the issuer. JWT by design has both of them.

Are you sure you are not making a confusion when you state that PlayFab supports OpenID authentication? In case yes, can you describe what type of authentication?

My guess is that PlayFab supports OpenID, however my problem is that the JWT token I have, as the issuer my Google Project id as an ISSUER, but PlayFab force me to write the ISSUER as an url. This force me to write the ISSUER to

https://securetoken.google.com/api-80072602136308357....
but my actual ISSUER from the JWT token is only the projectid with bold. This could explain the error which I have given upper.
1 comment
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Citrus Yan avatar image Citrus Yan commented ·

Hi,

Yes, OpenID Connect uses JWT token to authenticate, and yes, Firebase issues valid JWT tokens for verifications. However, the key here is that Firebase is not a OpenID identiy provider or an issuer of oAuth tokens.

>> Are you sure you are not making a confusion when you state that PlayFab supports OpenID authentication?

Yes, PlayFab supports OpenID authentication.

>> In case yes, can you describe what type of authentication?

In the concept of OpenID, the issuer must be a URI in which the user can type his username and password or perform any other authentication methods to authenticate his identity, then redirect back to the website or application the user is accessing.

By the way, Google’s OAuth 2.0 APIs can be used for both authentication and authorization, which means that you can utilize it to implement OpenID Connect. Here is the doc that talks about Google OpenID Connect which I think will help you understand OpenID Connect better.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.