Was going through a blog about making auth0 and firebase work together. for keeping the firestore secured on the backend, authentication through firebase auth is a must. for that there’s a method of createCustomToken(token) and signInWithCustomToken(token) for signing in firebase. and that token is the id_token provided by auth0 while authenticating via it.
The blog instructed to get that id_token. So how do you get that?
Related
I'm working on a React native application and want to use Firebase auth token for the YouTube API.
firebase.auth().signInWithEmailAndPassword(
credentials.email,
credentials.password
).then( ()=>{})
What is the right way to achieve this?
The Firebase Auth token is a JWT, which is not a valid OAuth2 token that can be used for the Youtube API. If you want to access youtube, you'll have to sign in there separately with their documented authentication flow.
I can sign in users to Firebase using this HTTP API:
How do I sign out users, so that the Firebase idToken and refreshToken can no longer be used?
Also, how long is the refreshToken valid for?
If my user does not use my app for weeks, can I still use the refreshToken or will I need to get a fresh Google Sign In idToken and exchange it for a Firebase (idToken, refreshToken) pair via the /identitytoolkit/v3/relyingparty/verifyAssertion API?
I don't believe there is a sign out endpoint. You could try doing a redirect to https://accounts.google.com/Logout but I suspect that is signing out from all Google services which might not be a great idea.
The whole point of Refresh Tokens is that they can be used to access resources whether or not the user is present and signed in, so your comment "How do I sign out users, so that the Firebase idToken and refreshToken can no longer be used" is an oxymoron.
A Refresh Token is theoretically valid until a user specifically revokes it, but your app should code for the possibility that Google has expired it.
The client cannot directly revoke the ID token via the REST API, but both the Firebase Auth client SDKs (ex: Android) and the Auth Admin SDK do support it. So if your client platform isn't supported, but you are able to create a small server implementation (maybe through Firebase/Cloud Functions), you can create an HTTP endpoint that triggers ID token revocation.
i have built a webapp using angular material and firebase functions + realtime DB as the backend. I am using slack "Sign in with Slack" API oauth flow. All works well and i am able to generate a accessToken in the backend which i can store against the user in the realtime DB. Once that is done i make a redirect call to my angular app on the dashboard page. Currently i am passing userid in the redirect url which i use to drive user to dashboard and show his data.
This functionally works fine but is a big security issue. As i can directly type the redirect url and boom. I am in the dashboard.
So, how do i solve this? What should i be doing in the url redirect that is secure and validates the response is the the result of a valid request?
I am not familiar with the Slack OAuth SDK but in general, this is true for all OAuth providers. Ideally, at the point where you redirect to your callback URL with the slack authorization code and you exchange the auth code for a Slack access token before returning that access token to the client, you call the Slack API to get the Slack user ID with the access token and then mint a Firebase custom token with that uid. You then return that custom token to the client and signInWithCustomToken. Make sure you are checking the state field (which you set when started the Slack sign in) along with Auth code to verify that the flow started and ended on the same device.
The firebase javascript client SDK has sustained access to, say, a facebook oauth token. My understanding is an app can just call firebase.auth.FacebookAuthProvider.credential() and if it is signed in, it will receive a facebook access token with which it can do API calls. The key point here is that the token is not stored in my database, but in firebase auth, securely.
I want my back-end to be able to make these API calls on behalf of my app. why can't I call admin.auth.facebookauthprovider.credential() to retrieve the token?
Please note I will actually be implementing this for Slack oauth. At the moment, I will otherwise have to encrypt Slack tokens in my firestore DB. This instagram firebase example does that, and I feel it defeats the purpose of firebase auth
To get Google access token after firebase auth login, I know I can simply do this:
firebase.auth().signInWithPopup(provider).then(function(result) {
var token = result.credential.accessToken;
}
but what if the user is already authenticated and I need the token? is there any way to extract it from the Firebase auth?
I've been through every value of authState but I couldn't find the google access token I've been looking for.
You can't get the access token from the onAuthStateChanged listener or the currentUser. You can only get it immediately after authentication when calling signInWithPopup, reauthenticateWithPopup, linkWithPopup, getRedirectResult, etc. Firebase Auth does not manage OAuth tokens for users. If you feel strongly about this feature, please file a feature request for it on the Firebase forum: https://groups.google.com/forum/#!forum/firebase-talk
You can also just use the GApi library to get the Google access token and pass it to Firebase to sign-in via signInWithCredential. The advantage here is that GApi will manage that OAuth token for you.