So I started a test project with Golangg which I expore different technologies and got into some google firebase for authentication provider for users. I implemented the flow with registering users which require user/password. After that I wanted to do login (only backend vie rest api) turns out you can't since go verify user by user/password you need the google sdk works with iOS Android Web C++ Unity. The only work around i could do is get user by ID which i saved in my db then issue custom token, which then needs to be verified by method
signInWithCustomToken
but this is not implemented in the Golang lib, you need to call rest api for this
https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=[API KEY]
but there is a function for that in js. So if I only want to do the whole service backend I seems I can't do authentication with google Firebase.
How this whole flow should look like implementing only backend service?
i'm flutter-fire user since last fall
Note: The server client libraries bypass all Cloud Firestore Security
Rules and instead authenticate through Google Application Default
Credentials. If you are using the server client libraries or the REST
or RPC APIs, make sure to set up Identity and Access Management (IAM)
for Cloud Firestore.
Comment above is from link by firebase team. It sounds like 'server client libraries' or apis in the comment mean the requests from outside of my mobile apps, and they gon bypassing cloud firestore security rules. But when i tried the same get request with Postman with just same request from the one in my app without permission, the response in Postman console was fine, which means that there came a permission denied error.
So, here comes my question. I hope to know what types of requests exactly are equivalent to these 'server client libraries' or 'the REST or RPC APIs' mentioned in the official reference that bypass all the security rules. Postman is exactly 'the REST', and firebase worked as i wanted(produced permission denial) perfectly in this case. So there must be some specific types that firebase team actually intended to refer to be careful of.
I understand that firebase-admin sdk is one of the possible server side libraries, but exactly the same permission or auth procedures should be required when we tried to access firebase admin sdk which can control firebase data above the security rules just like firebase team commented. So the question is focusing on possible attackers' solutions to maliciously manipulate our firebase without the proper security procedures.
Hope some firebase gurus would give cool answers for the question with awesome knowledge and experiences! Thank you in advance [:
As their name indicate, the server client libraries are to be used from a server or from a "trusted environment" like Cloud Functions.
When interacting from your server (or your trusted environment) with the Firebase server APIs you don't authenticate as you would authenticate from a client application. Instead of using user accounts created through the Firebase Authentication service (e.g. email/password account) your server should use Google service accounts. More details here in the Firebase doc.
Note that for Cloud Functions, you initialize the Admin SDK with no parameters. In this case, the SDK uses Google Application Default Credentials (exactly as indicated in the documentation excerpt you mentioned in your question).
So, when your server (or your Cloud Function) interacts with the Firebase server APIs, since it is authenticated with a service account, the requests bypass all Cloud Firestore Security Rules. In other words, if you want to implement some check to allow/forbid specific operations based on specific parameters/values, you have to implement them in your code.
For the REST API, it is the same. The REST API can be used from a client application (a web app, a Flutter app, ...) or from a server.
Depending if it is a client or a server, you should authenticate by using a Firebase Authentication ID token or a service account (together with Google Identity OAuth 2.0 token), as explained in detail in the documentation.
So, when you make a request to the API with Postman without permission, as you did, the API detects that there is no Google Identity OAuth 2.0 token or Firebase Authentication ID token associated with the request and then the Security Rules are enforced => you get a "permission denied error".
In conclusion, if you correctly define your Security Rules you should not encounter any problem with "attackers maliciously manipulating" your database.
Note however that Security Rules only based on auth != null may not be sufficient to protect your data, as explained in this answer.
I have found the tutorial Using Firebase to authenticate users that explains how to authenticate users with Firebase to access different services.
However I haven't found how to enable Firebase login for the whole Google Cloud Endpoints portal page (like for example https://endpointsportal.ourproject.cloud.goog/).
How can I achieve this?
I think the only identity supported today is GCP meaning Cloud Endpoints Portal doesn't support 3rd party sign in. You can use Firebase to authenticate against the API, but not to log into the portal.
I'm working on a project where it was asked for all the authentication to be done in our own backend, that is, without the usage of the Firebase SDK that comes pretty handy. The email/password sign up/sign in are very easy as we pass the email and password but all the other authentication methods, such as Google and Facebook, require postBody which contains OAuth Credentials. How am I able to get that data from the client (which can either be a native app or a react web page)? I've googled and read the Firebase REST Auth page for more info but I didn't find much other than what I already know. I've tried to work around with OAuth Playground from Google but it didn't work as well so I thought that my best chance was asking on SO where people with more experience could answer me.
I can't figure out how to authenticate my IoT appliance to call Google Cloud App Engine APIs I've written using Firebase Auth.
We currently do this with our browser app using Firebase Auth tokens. We use the username and password to issue a token and then use that token during the life of the session to access APIs from our browser app.
This doesn't translate well to our IoT appliance as there is no username/password - so we are thinking we will need to use Firebase custom tokens. Unfortunately these tokens expire every hour - so we will need to use the Firebase Auth APIs to renew the tokens automatically - we think this is the way this works based on documentation.
A constraint we have is that this appliance doesn't have any user experience but instead needs to be able to restart at any time and reestablish it's authenticity with the server by retrieving a fresh token.
I'm having a hard time finding an example of how to do this - and I'm hoping someone can give me a simple example or some clear direction on how to keep a authentication token current while the appliance is on and establish a new one if it needs to restart.
Thanks!
Have you looked at Cloud IoT Core as an option? It handles the authentication piece for you without user/pass (uses JWT), and is designed for IoT. A quickie Cloud Function can bring your telemetry data into Firebase/Firestore very easily.
Another option would be to create a service account with permissions to write to AppEngine. Check out this link: https://cloud.google.com/docs/authentication/getting-started for some documentation on how to authenticate using a service account.