Invalid Custom TOken

[kadircanerergun]

Im using custom token auth on Firebase. I tried to generate token as the documentation said. But when i try to login in client side with (loginWithCustomToken(token)) method it gives an error below

{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "invalid",
    "message": "INVALID_CUSTOM_TOKEN"
   }
  ],
  "code": 400,
  "message": "INVALID_CUSTOM_TOKEN"
 }
}

I generate token with this code block as described in firebase documentation

$service_account_email = "USED_FROM_JSON_FILE"; //
$private_key = "USED_FROM_JSON_FILE";

function create_custom_token($uid, $is_premium_account) {
  global $service_account_email, $private_key;

  $now_seconds = time();
  $payload = array(
    "iss" => $service_account_email,
    "sub" => $service_account_email,
    "aud" => "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
    "iat" => $now_seconds,
    "exp" => $now_seconds+(60*60),  // Maximum expiration time is one hour
    "uid" => $uid,
    "claims" => array(
      "premium_account" => $is_premium_account
    )
  );
  return JWT::encode($payload, $private_key, "RS256");
}

[saffabook]

Same issue +1

[bshaffer]

Hello! Thank you for filing this.

I unfortunately cannot duplicate this issue. The above sample validated as expected. I would verify the following:

1. The service account email matches the private key
2. The project tied to the service account matches your firebase config (i.e. authDomain)
3. The token being passed to loginWithCustomToken is correct

Unfortunately, the error message being returned from the API is not very helpful, so it could be any of these things or something else.

If you think there is a problem with the documentation, click Send Feedback in the top right corner of the documentation page and tell us the problem.

[JustDNA]

Same issue +1

[JustDNA]

I come across this error few times every day out of some 1000 times. Started facing this issue after I upgraded the client side code to use Firebase 3.x from Firebase 2.x

[diamond-darrell]

I have a similar issue.
I found out that if I copy generated token and just hardcode it in app (frontend side), it works fine. But if I pass received token from response, it fails.
So, I think that token is valid, but for some reason login fails.

[diamond-darrell]

I've figured out the problem in my case.
It was wrong time on the server. So, "iat" and "exp" dates were wrong

[delta9]

@diamond-darrell Thanks!! You saved me from pulling my hair out while testing.

[DrewLandgrave]

@diamond-darrell THANK YOU!

[theknicker]

I am having this same issue, but the time is not the problem. When I put my token into https://jwt.io/ I get an "invalid signature" error. Any ideas?

[dyangua]

@theknicker the same problem i dont know, i use sdk firebase and works fine but with my custom jwt with parameters like documentation i have this error Invalid assertion format. 3 dot separated segments required

[rldaulton]

@dyangua did you find a solution to the error?

i have this error Invalid assertion format. 3 dot separated segments required

[dyangua]

@rldaulton yes, i have this error because i try to create my custom token in node but in node you have method for that, in php works fine.

[dyangua]

`<?php
// Requires: composer require firebase/php-jwt
use \Firebase\JWT\JWT;

// Get your service account's email address and private key from the JSON key file
$service_account_email = "";
$private_key = "";

function create_custom_token($cedula, $is_premium_account) {
global $service_account_email, $private_key;

$now_seconds = time();
$payload = array(
"iss" => $service_account_email,
"sub" => $service_account_email,
"aud" => "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
"iat" => $now_seconds,
"exp" => $now_seconds+(60*60), // Maximum expiration time is one hour
"uid" => $cedula,
"claims" => array(
"premium_account" => $is_premium_account
)
);
return JWT::encode($payload, $private_key);
}
?>`

[MrJellyB]

same error here,
when i tried to call signInWithCustomToken right after signInWithEmailAndPassword
it worked fine, but when I was calling from other HTTP request it failed

[MrJellyB]

@rldaulton yes, i have this error because i try to create my custom token in node but in node you have method for that, in php works fine.

can you elaborate?

[sharmam-lh]

Anyone has fixed? "Invalid assertion format. 3 dot separated segments required.". I am facing same issues while using firbase "signInWithCustomToken(jti)" jti means JWT ID token

[EfrenWhisper]

Hey guys I found the solution for my case:
The token on the request response is labeled as "session_token" I had a different key "Session_token" so was always failing
Verify that you are using the correct key to retrieve your token
httpResponse.allHeaderFields["session_token"] as? String

[madsongr]

Same error here. I've checked system time, changed uid from integer to string and decoded in jwt.io. In jwt.io is decoded and nothing's wrong.

I was having an Openssl() error using RS256 so I changed it to HS256 and that error was fixed. But I still have the error below:

> auth/invalid-custom-token
> The custom token format is incorrect. Please check the documentation.

require_once('../vendor/autoload.php');
use \Firebase\JWT\JWT;

$service_account_email = env('ACCOUNT_EMAIL');
$private_key = env('ACCOUNT_SECRET');

class generateToken
{
    public static function generateNewToken($mysqli, $userID, $email)
    {
        global $service_account_email, $private_key;

        $name = '';
        $lastname = '';
        $hostOption = '';
        $now_seconds = time();

        $selectUserData = "SELECT username, lastname, hostOption FROM signup WHERE id = ? ";
        $stmt = $mysqli->prepare($selectUserData);
        $stmt->bind_param('i', $userID);
        $stmt->execute();
        $stmt->store_result();
        $stmt->bind_result($name, $lastname, $hostOption);
        $stmt->fetch();

        $payload = array(
            "iss" => $service_account_email,
            "sub" => $service_account_email,
            "aud" => "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
            "iat" => $now_seconds,
            "exp" => $now_seconds + (60 * 60),  // Maximum expiration time is one hour
            "uid" => strval($userID),
            "claims" => array(
                "username" => $name,
                "lastname" => $lastname,
                "email" => $email,
                "hostOption" => $hostOption,
            )
        );

        return JWT::encode($payload, $private_key, 'HS256');
    }
}

[madsongr]

Just solved it! Reading this issue I could work with RS256 just using double quotes instead of single quotes in $private_key and I don't get invalid token error anymore.

[madsongr]

Hello! Thank you for filing this.

I unfortunately cannot duplicate this issue. The above sample validated as expected. I would verify the following:

1. The service account email matches the private key
2. The project tied to the service account matches your firebase config (i.e. authDomain)
3. The token being passed to loginWithCustomToken is correct

Unfortunately, the error message being returned from the API is not very helpful, so it could be any of these things or something else.

If you think there is a problem with the documentation, click Send Feedback in the top right corner of the documentation page and tell us the problem.

In my case item number 1 was the problem. After setting the correct service account email I was missing the private key of the same project. I was using a generic RSA private key.