The KeyStorer cache key is the same for both idToken and sessionCookie verification despite both needing different keys
idToken fetches from https://www.googleapis.com/robot/v1/metadata/jwk/securetoken@system.gserviceaccount.com
sessionCookie fetches from https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys
If we have idToken keys in cache, verifying a cookie fails with "Firebase session cookie has "kid" claim which does not correspond to a known public key. Most likely the session cookie is expired, so get a fresh token from your client app and try again."
If we have sessionCookie keys in cache, verifying an idToken fails with "FirebaseAuthError: Firebase ID token has "kid" claim which does not correspond to a known public key. Most likely the ID token is expired, so get a fresh token from your client app and try again."
A solution would be to use separate cache keys for idToken and sessionCookie JWKs, maybe using a suffix of PUBLIC_JWK_CACHE_KEY
The KeyStorer cache key is the same for both idToken and sessionCookie verification despite both needing different keys
idToken fetches from https://www.googleapis.com/robot/v1/metadata/jwk/securetoken@system.gserviceaccount.com
sessionCookie fetches from https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys
If we have idToken keys in cache, verifying a cookie fails with "Firebase session cookie has "kid" claim which does not correspond to a known public key. Most likely the session cookie is expired, so get a fresh token from your client app and try again."
If we have sessionCookie keys in cache, verifying an idToken fails with "FirebaseAuthError: Firebase ID token has "kid" claim which does not correspond to a known public key. Most likely the ID token is expired, so get a fresh token from your client app and try again."
A solution would be to use separate cache keys for idToken and sessionCookie JWKs, maybe using a suffix of
PUBLIC_JWK_CACHE_KEY