I have a public service running on cloud run that uses firebase auth (OAuth2) tokens with custom claims (eg admin=true) for authorization. I would like to use the same service to host an endpoint that can be triggered by cloud scheduler.
But in cloud scheduler, I can only select to use an OIDC token. Can I somehow add a custom claim to this OIDC token? Or am I doing someting fundamentally wrong here?
I know I could just host a separate cloud run service that is not open to public and only contains that one endpoint, but this feels a but overkill, since when I do that, I either need to duplicate a lot of code from my existing service to the new service or use it as a "mediator-endpoint" that creates said token for me and then calls the public service, but again, this feels a bit stupid... What are my options here?
Related
I am using firebase firestore as datastore for my web based application. The application has 2 different actors.
Supervisor: logs in via a common password set for all supervisors plus the ability to generate unique codes.
User: logs in via the unique code generated by the supervisor.
I am using cloud functions to do the heavy lifting for both actors. Now these functions are protected with cors and whitelist for origins.
I am trying to secure the routes created with cloud functions with a Auth Middleware relying on the concept of if the request is not from authenticated account or not.
I have created a email and password accounts for both actors for the frontend section of my application.
The question is if I am to go with firebase Auth api to get the refresh token and use it as jwt in the Middleware, will it be an issue since let's say 100 supervisor are connected and performing some tasks, and the same thing for the second actor ? Because after examining the refresh token it contains the uid of the account authenticated and using the same account for multiple connection is the blocking stone in this scenario.
the point of a token to be used in every operation is to validate the origin of the request
Firebase Authentication uses ID tokens to verify the user's identity, not the origin of requests. A malicious user in your scenario can get the credentials from the app, and use them in their own code - calling APIs on your Firebase project.
If you want to only allow calls from your own app, consider using the new App Check feature of Firebase.
I'm building a social media app with a focus on group chatting. I am working on creating a new user. Firestore provides this function to begin the process of creating the user from the client:
auth.createUserWithEmailAndPassword
However, I read that it's safer to try to minimize what lives on the client side and do most of the app's work on the server side. Should I use the function above (on the client) or should I make a custom function that passes the email and password to the server and create the user there?
Firstly, auth.createUserWithEmailAndPassword is not a Firestore method. It's a Firebase Auth method. Firestore is a database, Firebase Auth is an authentication service. It's good not to mix up their responsibilities.
The options you're proposing are not, in practice, any different in terms of security. That's because the Firebase Auth service provides a public REST API for creating new user accounts that's accessible to the world if you've enabled email and password authentication for your project. It doesn't really matter if you invoke that from a frontend or backend - the net result is the same.
Do whatever you find most convenient. Firebase Auth was designed so that users can create their own accounts using the authentication providers that you enabled. Adding another backend service to that seems to just add more work for no extra benefit.
I am new to Spring Boot and Firebase. I have generated REST endpoints from my model and repositories using spring-boot-starter-data-rest.
I also created a front-end application (front is a SPA written in React - back works with Spring boot - these are 2 separate apps).
My front-end app contains a login form and I use the Firebase JS SDK to authenticate the user and get an ID token for him.
Now I would like to add authentication to my endpoints so only authorized users can reach them, using the token I get in the front-end app.
I can put the token in the Authorization header of each request, but I dont't know how to:
Extract and check the token in Spring Boot, in order to get user information. I saw this, is this ok?
Pass the user information to the endpoint methods (currently I got no controller, since they are generated from the repositories (they extend PagingAndSortingRepository or CrudRepository))
Specify which endpoints are public and which are private (using WebSecurityConfigurerAdapter I guess).
Also, some endpoints could be accessible only by some users. But I saw nothing in Firebase that allows me to distinct user grants.
I have read several tutorials but I have not enough details to understand everything, and they do not answer all my questions.
Thanks
This is my first GAE app so please let me know if my approach is wrong. I have knowledge of Flask and have used Flask-Login before for my authentication needs. With GAE, it seems they suggest to use Firebase. Mine is not a SPA but I wanted to use Firebase UI and let it handle all the user authentication part.
Looking at the examples here https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/appengine/standard_python3/building-an-app/building-an-app-3/static/script.js#L42 , i can verify the token server side using the Python Admin SDK. https://firebase.google.com/docs/auth/admin/verify-id-tokens#python or a more developed example https://firebase.google.com/docs/auth/admin/manage-cookies#python . I am able to do this but I am a bit confused about the flow later on.
In the same example, they suggest to store the token (or some part of claims) as secured cookie. This is similar to how Flask Login also stores the cookie and then we verify the cookie in every request - but since in the case the backend is local REDIS or any storage, the validation is not expensive. But when using Firebase, it seems we will have to call Firebase for every api call to validate the token.
Otherwise, it could that be that user has changed their password or reset something in their Google/Facebook provider and we wont know at our server till we validate things at the provider end. This also prevents us from developing locally offline (or we write some logic to specially handle local development).
Whats the best way to solve this?
You can use the Firebase Admin SDK to manage users or to manage authentication tokens, according to the official documentation – marian.vladoi
I have a firebase web app calling my Python API.
the user who is using my app does not need to login to use it but I still need to make sure that this request coming from my application
How can I verify the identity of the app sending the request?
There is no way to enforce that calls can only come from your application. In a database that is directly accessible from the internet, that is simply not possible. Anyone who can use your web app, can take the configuration data from that app and use the Firebase API to make their own calls.
That's why it's important that you enforce all business rules that you have for your database in Firebase's server-side security rules too. You can use these to enforce data structure, and (when combined with Firebase Authentication) ensure that all data access is authorized.
You can use Firebase Authentication without requiring your users to enter credentials by using anonymous authentication. This essentially gives your user a unique ID, that you can then use to identify that user (and the data they create) in security rules.