I'm working on the custom express API based on the single Cloud Function and I'd like to secure the endpoints with the authentication. I'm aiming for implementing the API key flow and OAuth 2.0 authorization code flow. In my endpoint functions I'd need to obtain the user id somehow and I was wandering how can I archive that. Should I mix Firebase Token (createCustomToken) with these auth flows? e.g in the API key flow when user generates a new token on the frontend then on the backend I should create a Firebase Token instead of custom hashed token and store it in db?
Any ideas how to do it properly, maybe are there any other/better ways to retrieve the uid?
Related
I need to use the authentication service from firebase. but use my existing authorization service.
Can i use user token, sessions info from firebase.auth().onAuthStateChanged(function(user) {})
what is the best way/ways to manage these kind of use cases.
Should i also store my user details cookies, token etc?
You can implement a custom provider for Firebase Authentication. In this process:
You sign the user in to your service with their credentials as usual.
You then mint a token based on the user's profile.
The user then uses that token to sign in to Firebase.
The entire process is quite well documented on the links I included above.
In the Symfony Lexik JWT Authentication bundle, It is explained how to authenticate users using a table in the database.
In my case, My users aren't in the database but are in another application that I can access via API calls.
Also, to retrieve the users from this API, all I have to do is send a token associated with every user and get his information.
This token is well handled and is unique for each user.
How can I change the way LexikJWTAuthenticationBundle authenticate users using this API instead of the database.
And after this authentication, I want the JWT token to contain all the user information so I won't have to call this API each time a request is made to my application.
I made this diagram to explain my situation:
I tried from my side building a custom ApiUserProvider and an ApiUserAuthenticator but I am struggling to get this working.
Any help?
Here's described how to manually create JWTs for users: https://github.com/lexik/LexikJWTAuthenticationBundle/blob/2.x/Resources/doc/7-manual-token-creation.md you should be able to use that in your endpoint which authenticates the user, and return your own JWT.
The firebase javascript client SDK has sustained access to, say, a facebook oauth token. My understanding is an app can just call firebase.auth.FacebookAuthProvider.credential() and if it is signed in, it will receive a facebook access token with which it can do API calls. The key point here is that the token is not stored in my database, but in firebase auth, securely.
I want my back-end to be able to make these API calls on behalf of my app. why can't I call admin.auth.facebookauthprovider.credential() to retrieve the token?
Please note I will actually be implementing this for Slack oauth. At the moment, I will otherwise have to encrypt Slack tokens in my firestore DB. This instagram firebase example does that, and I feel it defeats the purpose of firebase auth
I have following use cases:
I have cloud functions which are accessible with HTTP endpoint and they use authorization using custom token because the app is only accessible with certain IPs stored in RTDB so I have created one cloud function with will generate a custom token after signing in user using firebase client SDK and then it will create a custom token using admin SDK after checking IPs which are stored in RTDB.
Now with every subsequent call client will send token and functions will serve the request.
I have event listeners bound with the RTDB on a client and use file upload using client SDK which client initialize with firebaseApp.auth().signInWithCustomToken(custom token).
On the function side I use the same sign in the method that also utilizes my firebase SDK and then I serve that request. The problem here is this sign in the method is very slow like it is taking generally more than 1 second only in sign in.
Alternative
Now alternative is I can use id token which can be created using currentUser.getIdToken() on the client side itself and it takes barely few ms to decode that token but I cannot initialize SDK with that token. so I have to use admin SDK but my IP node in RTDB is not accessed by the normal user and can only be accessed with admin SDK, so if I use ADMIN SDK with Control Access with Custom Claims and Security Rules to give admin SDK similar access that the authorized user has then IP node will not be accessible.
Issues with id token
Id token can be refreshed on the client side so once a client has a custom token, It can generate as many tokens it wants and that is not desirable. Apart from that validating IP everytime is not the operation that I wanted to do so with custom token I only use that in generating a custom token and then for a refreshing token but with id token, this would not be possible as the client can generate it with SDK.
Basically, I have to use firebase SDK on the client side which will need custom token(for additional authorization check) to initialize and at the same time I call the clound function from the similar app so what is the best way to implement this use case.
Mainly token are used for authentication but firebase provides different
Sign-in providers like email and password, Facebook, Google, GitHub and Anonymous for authentication. Then what are this tokens used for?
Can anybody guide me to a use case where this custom tokens are useful?
Here's where I got to know about this Custom tokens:
https://www.youtube.com/watch?v=VuqEOjBMQWE&t=93s
https://firebase.google.com/docs/auth/admin/create-custom-tokens
Custom tokens are used when you want to use a Custom Auth System:
You can integrate Firebase Authentication with a custom authentication
system by modifying your authentication server to produce custom
signed tokens when a user successfully signs in. Your app receives
this token and uses it to authenticate with Firebase.
For example: Let's say you're developing an app that needs authentication, but you don't want to use the Auth Providers that Firebase supports (Google,Twitter,Facebook,etc). Let's say you want to use Instagram Auth.
Since Instagram Auth is not provided by Firebase you can't set your Realtime Database rules to auth!=null. You'll probably set it to public, which means that anyone can access your data and this is an obvious security risk(Your database is not safe at all).
So what you can do is create your custom auth system that allows a user to authenticate with Instagram and then give him a Custom Token. The user will then use this token when signing in to your Firebase App, and he will be recognized on Firebase Authentication. Which means that he can now access data that is protected by auth!=null. Your database no longer needs to be public.