Php Firebase verification with Twitter get user information

Question

I wan't to implement a Twitter login through the Firebase API. My client is a android app who loggs into the Twitter account and sends the IdToken to my php backend. This works fine.

OAuthProvider.Builder provider = OAuthProvider.newBuilder("twitter.com");
provider.addCustomParameter("lang", "de");
FirebaseAuth.getInstance()
        .startActivityForSignInWithProvider(/* activity= */ this, provider.build())
        .addOnSuccessListener(
                new OnSuccessListener<AuthResult>() {
                    @Override
                    public void onSuccess(AuthResult authResult) {
                        // User is signed in.
                        // IdP data available in
                        // authResult.getAdditionalUserInfo().getProfile().
                        // The OAuth access token can also be retrieved:
                        // authResult.getCredential().getAccessToken().
                        // The OAuth secret can be retrieved by calling:
                        // authResult.getCredential().getSecret().
                        Log.d("werte", "User is signed in");
                        Log.d("werte", "Username: " + authResult.getAdditionalUserInfo().getUsername());
                        Log.d("werte", "Info: " + authResult.getAdditionalUserInfo().getProfile().toString());
                        authResult.getUser().getIdToken(true).addOnSuccessListener(new OnSuccessListener<GetTokenResult>() {
                            @Override
                            public void onSuccess(GetTokenResult getTokenResult) {
                                Log.d("werte", "Accesstoken: " + getTokenResult.getToken());
                            }
                        });
                    }
                })
        .addOnFailureListener(
                new OnFailureListener() {
                    @Override
                    public void onFailure(@NonNull Exception e) {
                        // Handle failure.
                        Log.d("werte", "Sign in failed");
                        e.printStackTrace();
                    }
                });

But for php I only found a method to verify the token. I additionally need the user information. How do I get this?

$verifier = IdTokenVerifier::createWithProjectId('myProjectId');
try {
    $token = $verifier->verifyIdToken($idToken);
    echo($token);
} catch (IdTokenVerificationFailed $e) {
    echo $e->getMessage();
    // Example Output:
    // The value 'eyJhb...' is not a verified ID token:
    // - The token is expired.
}

Edit: I solved it with the help of Frank. But I used a little different way.

$googleKeysURL = 'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com';
        $key = json_decode(file_get_contents($googleKeysURL), true);
        $decoded = JWT::decode($idToken, $key, array("RS256"));

In the $decoded Object you can find every profile information you need. Thank you Frank

Answer 1

Verifying the ID token does nothing more then what its name says: it verifies that the token is signed with a valid key.

If you want to use the claims from the decoded token, use a JWT decoding library like the one from Firebase: php-jwt . From the example in the documentation, you should be able to get the decoded token with:

$decoded = JWT::decode($jwt, $key, array('HS256'));