I have a project that requires the usage of login via Facebook and Google, so I picked Firebase to speed up the process of authentication; However, the user must also be able to login via LINE(a messaging app popular in SEA).
Currently, I have implemented:
Line Login-> Finish Login -> Redirect to Cloud Functions -> Verify Line's Access_Token -> Create a User In Firebase from LINE's ID Token -> Create Custom Token from Firebase User
All that's left is to implement signInWithCustomToken and then get the idToken from firebase to send to my api for authorisation.
Now, the signIn process should be handled by the client side, but I am not sure how to pass the customToken to the client side(Our backend api and frontend client is separated).
I could pass it in a query param as I redirect the user to the frontend, but I am not sure if that's the best way to go about it.
What should I do?
After the user has logged in to LINE, it redirects to any link you set
for it to redirect to with the url params being the authorisation code
and state, so ?code=xxxxxx&state=xxxxx ... I decided to use cloud function to be the redirect url for the LINE Login
If I understand correctly, instead of directly redirecting LINE to the Cloud Function, you should probably redirect to a page of your web application which, in turns, calls a Callable Cloud Function (passing the code and statevalues as arguments).
This Cloud Function verifies the token as well as creates a user in Firebase and when this is done, sends back the token to the page of your web application. You then have all the elements to call the signInWithCustomToken() method.
Related
Since there is no way to implement a complete OAuth2 flow in Flutter web (because of this issue), I'm using a cloud function as the callback listener. The process is initiated by the user in the web app and, instead of the web app listening for the callback, the redirect url is that of a cloud function that unpacks the token and stores it in Firestore.
What would be a good way to relate the request the auth server makes to my cloud function to the individual user which is registered in my app's database? In other words: how does the firebase cloud function know for which user in Firestore to store the access token?
My idea is to make another wrapper function that gets called from the web app when the user initiates the flow (receiving the user id as parameter) and have the function that receives the token from the external service also call this wrapper function, but this doesn't scale well (if you have multiple users at the same time, it could misplace each other's tokens).
I am implementing Firebase OAuth with Twitter in a Game Maker app.
Note that Game Maker does not support SDKs so I am using 3-legged OAuth sign-in with REST.
After redirecting the user to the sign-in page for Twitter, I don't know how to handle the callback to the firebase URL and get the authentication data back to my Game Maker client.
I got the first step of the sign-in working, which is the POST oauth/request_token request to api.twitter.com; in the response I'm receiving oauth_token, oauth_token_secret and oauth_callback_confirmed.
After that, I'm opening the following URL in the user's browser: "https://api.twitter.com/oauth/authenticate?oauth_token=[oauth_token]"
That sends me to the Twitter sign-in page, which then redirects to the callback URL set in Firebase (and whitelisted in the Twitter dev console): "https://[APPNAME].firebaseapp.com/__/auth/handler" with the oauth_token and oauth_verifier query parameters.
The guide says this about this step of the 3-legged sign-in:
Upon a successful authentication, your callback_url would receive a request containing the oauth_token and oauth_verifier parameters. Your application should verify that the token matches the request token received in step 1.
I don't know how to reiceve the request to the callback_url and process it. Is it something I'm supposed to do from Firebase itself? Is my Game Maker client supposed to do it with a GET request? I have no clue.
I ended up setting up a Cloud Function as a callback.
This way I am retrieving the response directly from the function and storing the data/errors in the database.
In my firebase (Angular) app, I'm using firebase authentication to log a user in via their Google Profile. As part of this process, the user gives me permission to access their gmail account (scope 'https://www.googleapis.com/auth/gmail.compose').
After the user has logged in this way, I want to configure the "gapi" google javascript SDK so that the "signed in user" is the user signed in via firebase auth. Here's where I'm having trouble.
It appears that I need to set the client token for the gapi sdk like so gapi.client.setToken(userAccessToken) and the token needs to be set before the gapi client is initialized. Attempting to do this doesn't seem to work however (a call to gapi.auth2.getAuthInstance().isSignedIn.get() returns false when it should return true).
I also can't figure out a way of changing the "signed in user" if the firebase user logs out and a new one logs in. This is because, again, the gapi client seems to require the gapi.client.setToken() be called before the client is initialized, and I can't see any way of re-initializing and already initialized gapi client.
I can get the gapi client working if I use the gapi client's own gapi.auth2.getAuthInstance().signIn() method, but then the user is asked to sign in to my app twice using (from the user's perspective) identical google login popup boxes (one prompt originating from firebase auth and the other from the gapi client).
Does anyone have any suggestions / tips? After someone logs in via firebase auth I can get access to their userAccessToken, I just can't figure out how to programmatically pass that to the gapi client in a clean way.
Ideally:
on application load the gapi client would also load and initialize.
When a user chose to sign in, I would be able to use Firebase Auth to log someone in via their google profile, then get their access token and pass it to the gapi client to make google api calls.
If the firebase user ever logged out, I would clear the gapi client's api token.
If a new firebase user logged in, I would re-set the gapi client's api token.
I have come upon a placeholder (i.e. non-ideal) solution to this problem by following this S.O. answer.
In short, the GAPI client does not seem to let you manually pass it an access token, but the firebase auth client does let you manually pass it an access token. So, instead of handling authentication with the firebase sdk and passing the token to the GAPI client, you need to do the reverse and handle authentication with the GAPI client and then pass the token to the firebase SDK.
i have built a webapp using angular material and firebase functions + realtime DB as the backend. I am using slack "Sign in with Slack" API oauth flow. All works well and i am able to generate a accessToken in the backend which i can store against the user in the realtime DB. Once that is done i make a redirect call to my angular app on the dashboard page. Currently i am passing userid in the redirect url which i use to drive user to dashboard and show his data.
This functionally works fine but is a big security issue. As i can directly type the redirect url and boom. I am in the dashboard.
So, how do i solve this? What should i be doing in the url redirect that is secure and validates the response is the the result of a valid request?
I am not familiar with the Slack OAuth SDK but in general, this is true for all OAuth providers. Ideally, at the point where you redirect to your callback URL with the slack authorization code and you exchange the auth code for a Slack access token before returning that access token to the client, you call the Slack API to get the Slack user ID with the access token and then mint a Firebase custom token with that uid. You then return that custom token to the client and signInWithCustomToken. Make sure you are checking the state field (which you set when started the Slack sign in) along with Auth code to verify that the flow started and ended on the same device.
I have following use cases:
I have cloud functions which are accessible with HTTP endpoint and they use authorization using custom token because the app is only accessible with certain IPs stored in RTDB so I have created one cloud function with will generate a custom token after signing in user using firebase client SDK and then it will create a custom token using admin SDK after checking IPs which are stored in RTDB.
Now with every subsequent call client will send token and functions will serve the request.
I have event listeners bound with the RTDB on a client and use file upload using client SDK which client initialize with firebaseApp.auth().signInWithCustomToken(custom token).
On the function side I use the same sign in the method that also utilizes my firebase SDK and then I serve that request. The problem here is this sign in the method is very slow like it is taking generally more than 1 second only in sign in.
Alternative
Now alternative is I can use id token which can be created using currentUser.getIdToken() on the client side itself and it takes barely few ms to decode that token but I cannot initialize SDK with that token. so I have to use admin SDK but my IP node in RTDB is not accessed by the normal user and can only be accessed with admin SDK, so if I use ADMIN SDK with Control Access with Custom Claims and Security Rules to give admin SDK similar access that the authorized user has then IP node will not be accessible.
Issues with id token
Id token can be refreshed on the client side so once a client has a custom token, It can generate as many tokens it wants and that is not desirable. Apart from that validating IP everytime is not the operation that I wanted to do so with custom token I only use that in generating a custom token and then for a refreshing token but with id token, this would not be possible as the client can generate it with SDK.
Basically, I have to use firebase SDK on the client side which will need custom token(for additional authorization check) to initialize and at the same time I call the clound function from the similar app so what is the best way to implement this use case.