I am using authentication for oauth login of multiple domains in one firebase project. Currently, there are about 4 approved domains, but more may be added.
I know that using firebase in a web app requires putting some public config keys in the front end code and that its safe to do so. But I am confused about how firebase would prevent malicious people from just copying those config keys and pasting them in their own sites and initializing the firebase analytics sdk there to try to spoil my analytics data.
In firebase auth, we also give some whitelisted domains and authentication services are only allowed on those domains by firebase. So even if we try to access those auth services from another domain, firebase won't allow it.
So how will firebase differentiate in case of analytics? If the same config keys are put in webpages on two sites abc.com and xyz.com and abc.com is my actual site whose traffic is supposed to be tracked, how will firebase know and discard data from the bad website xyz.com if the person who created xyz just copied my config from my front end code and initialized firebase.analytics() on their site to spoil my analytics?
According to the docs, Google Apps domain administrators can grant service accounts domain-wide authority to access user data on behalf of users in the domain. My understating is this gives service account authority to access data for all users inside the domain. Is there a way to restrict which users service account has access to? If yes, how? Additionally, is there a way to create a "Project" within an existing Organization Unit so that I can move users within that project and then within a service account so that only a list of email accounts that are placed in it.
For example, an application that uses Gmail API and Google Calendar API to view events from the email and calendars of specific list of users in a Google Apps domain.
Can google apps administrator authorize application for access to some but not all users?
For Firebase local it states "An explicit sign out is needed to clear that state. Note that Firebase Auth web sessions are single host origin and will be persisted for a single domain only."
Is there any way for logins to be persisted for multiple domains with one login?
"Authentication requests to Firebase Simple Login are only permitted from domains you specify." and the two default domains are "localhost" and "127.0.0.1".
Let's say that my server's IP is "267.156.423.22". How do I setup my security rules so that that the two first domains can read specific data, but only the server can write it?
For example, if a client purchases a product, this fact and associated data needs to be noted on the client's account in the Firebase. For obvious security reasons this information must be 'writeable' by the server only.
The authorized domains configuration for Firebase Simple Login applies solely to OAuth-based authentication providers (Facebook, Twitter, and GitHub), and restricts requests to those origins in the browser.
That means if you're using one of those OAuth-based authentication providers, you'd want to enter in any origins which your end users will use to access the page (i.e. if your user accesses the page via subdomain.example.com, that'd the be origin to enter).
Keep in mind that Firebase Simple Login is built on top of that standard, one-size-fits-all custom login / token generation in Firebase. It is an abstraction layer intended to make it easy to generate Firebase Auth. Tokens, a secure way of sharing data between you and Firebase.
Once a token has been generated (via Simple or Custom login), you can begin using that token's payload in your security rules (via the auth variable). If you'd want your server to bypass security rules, simple generate a token with the admin privilege, or your Firebase secret. See https://www.firebase.com/docs/security/security-rules.html for more details.