Time taken by $auth->verifyIdToken($token) #669
Replies: 4 comments
-
When verifying ID tokens, the SDK will fetch Google's Public Keys to verify the signature - you can speed this up for subsequent requests by configuring the Factory with a cache: https://firebase-php.readthedocs.io/en/5.x/setup.html#id-token-verification |
Beta Was this translation helpful? Give feedback.
-
It is given |
Beta Was this translation helpful? Give feedback.
-
The Authentication tokens are the tokens used by the SDK to authenticate When caching in memory, the cache is only valid for the current process/request, not for all incoming requests. What I mean is: if Client A and Client B make requests to your app, each request runs in its own process, and each process will have its own memory allocation and separate In-Memory-Caches - this means each request will cause its own requests to the Firebase APIs. # Request by Client A in its own process
$factory = (new Factory)->withServiceAccount('../firebase-adminsdk.json');
$auth = $factory->createAuth();
$verifiedIdToken = $auth->verifyIdToken($token, true);
// 1 outgoing Request to get the authentication token the SDK uses to authenticate requests to the Firebase APIs
// 1 outgoing Request to fetch Google's Public Keys for Signature verification
// 1 outgoing Request to fetch the user record for the uid in the ID token
// -> 3 outgoing requests in total # Request by Client B in its own process
$factory = (new Factory)->withServiceAccount('../firebase-adminsdk.json');
$auth = $factory->createAuth();
$verifiedIdToken = $auth->verifyIdToken($token, true);
// 1 outgoing Request to get the authentication token the SDK uses to authenticate requests to the Firebase APIs
// 1 outgoing Request to fetch Google's Public Keys for Signature verification
// 1 outgoing Request to fetch the user record for the uid in the ID token
// -> 3 outgoing requests in total In-Memory Caching would kick in when you verify two ID tokens within the same request: # Verifying two ID tokens in one process
$factory = (new Factory)->withServiceAccount('../firebase-adminsdk.json');
$auth = $factory->createAuth();
$idToken1 = '...';
$idToken2 = '...';
$auth->verifyIdToken($token1, true);
// 1 outgoing Request to get the authentication token the SDK uses to authenticate requests to the Firebase APIs
// 1 outgoing Request to fetch Google's Public Keys for Signature verification
// 1 outgoing Request to fetch the user record for the uid in the ID token
// -> 3 outgoing requests
$auth->verifyIdToken($token2, true);
// 1 outgoing Request to fetch the user record for the uid in the ID token
// -> 1 outgoing Request Now, there are two different caches you can configure for the SDK
Going back to the initial use case (2 verifications in 2 Requests). Using only the auth token cache # Very first request by Client A in its own process
$factory = (new Factory)
->withServiceAccount('../firebase-adminsdk.json')
->withAuthTokenCache(...);
$auth = $factory->createAuth();
$verifiedIdToken = $auth->verifyIdToken($token, true);
// 1 outgoing Request to get the authentication token the SDK uses to authenticate requests to the Firebase APIs
// 1 outgoing Request to fetch Google's Public Keys for Signature verification
// 1 outgoing Request to fetch the user record for the uid in the ID token
// -> 3 outgoing requests # Request by Client B in its own process
$factory = (new Factory)
->withServiceAccount('../firebase-adminsdk.json')
->withAuthTokenCache(...);
$auth = $factory->createAuth();
$verifiedIdToken = $auth->verifyIdToken($token, true);
// The authentication token now comes from the cache
// 1 outgoing Request to fetch Google's Public Keys for Signature verification
// 1 outgoing Request to fetch the user record for the uid in the ID token
// -> 2 outgoing requests # Request by Client C, D, etc.
$factory = (new Factory)
->withServiceAccount('../firebase-adminsdk.json')
->withAuthTokenCache(...);
$auth = $factory->createAuth();
$verifiedIdToken = $auth->verifyIdToken($token, true);
// -> 2 outgoing requests each per ID token verification Using the auth token cache and the public keys cache: # Very first request by Client A in its own process
$factory = (new Factory)
->withServiceAccount('../firebase-adminsdk.json')
->withAuthTokenCache(...)
->withVerifierCache(...);
$auth = $factory->createAuth();
$verifiedIdToken = $auth->verifyIdToken($token, true);
// 1 outgoing Request to get the authentication token the SDK uses to authenticate requests to the Firebase APIs
// 1 outgoing Request to fetch Google's Public Keys for Signature verification
// 1 outgoing Request to fetch the user record for the uid in the ID token
// -> 3 outgoing requests # Request by Client B in its own process
$factory = (new Factory)
->withServiceAccount('../firebase-adminsdk.json')
->withAuthTokenCache(...)
->withVerifierCache(...);
$auth = $factory->createAuth();
$verifiedIdToken = $auth->verifyIdToken($token, true);
// The authentication token now comes from the cache
// Google's public keys now come from the cache
// 1 outgoing Request to fetch the user record for the uid in the ID token
// -> 1 outgoing request # Request by Client C, D, etc.
$factory = (new Factory)
->withServiceAccount('../firebase-adminsdk.json')
->withAuthTokenCache(...)
->withVerifierCache(...);
$auth = $factory->createAuth();
$verifiedIdToken = $auth->verifyIdToken($token, true);
// -> 1 outgoing request each per ID token verification If you don't check for token revocation, with both caches, no outgoing requests would have to be made, and you would probably receive similar fast speeds as in the Go SDK. Making HTTP requests will always add an overhead. The Go Admin SDK can certainly be more efficient without a complicated setup because the Go application is running continuously and handles all incoming requests from clients. Due to the nature of PHP (usually running behind an Apache/Nginx), on each request, the PHP application gets loaded up in a fresh state, that's why we usually need a cache layer to share things between requests. Also, some time could be gained if HTTP requests would be made asynchronously instead of synchronously (in this case: fetching the user record and the Google Public Keys at the same time), but this SDK doesn't do that. I hope this made sense 😅 |
Beta Was this translation helpful? Give feedback.
-
@jeromegamez Thank you for your great explanation. Now I know how I can use cache and what In-Memory-Caches means. Currently I am not using any cache, still there is a lot of time differences with and without checking for token revocation (35ms vs 300ms), so I think there is some cache working. |
Beta Was this translation helpful? Give feedback.
-
Hi, I am using
$auth->verifyIdToken($token)
to validate client token. It takes 30-35 MilliSeconds. I want to know whether it is OK or I have implemented it in a wrong way. Same method take only 300 micro seconds in GO Lang. I have used below code.$factory = (new Factory)->withServiceAccount('../firebase-adminsdk.json');
$auth = $factory->createAuth();
$verifiedIdToken = $auth->verifyIdToken($token)
Beta Was this translation helpful? Give feedback.
All reactions