JWT: Firestore Auth makes use of the OAuth Grant Code Flow and uses JWTs (Json web Tokens) as access tokens. Such a token is signed by Google and consists of a few encoded fields including a valid-until field. This allows to verify access tokens locally without any database access.
The Firebase API requires an access token, it accepts two types:
- A custom created JWT, signed with the private key of a Google service account
- An access token from Firestore Auth, bound to a user (in this crate called "user session")
If you do not have an user session access token, but you need to perform an action
impersonated, this crate offers Session::by_user_id. This will again create a custom, signed JWT,
like with option 1, but exchanges this JWT for a refresh token and access token tuple.
The actual database operation will be performed with those tokens.
About token validation:
Validation happens via the public keys of the corresponding Google service account (https://www.googleapis.com/service_accounts/v1/jwk/service.account@address).
The public keys are downloaded and cached the very first time you create a credentials::Credentials object.
To avoid this roundtrip on start it is strongly recommended to use the Credentials::new(..) function
to create the credentials object. Find more information further down.