I'm trying to implement OAuth 2.0 device authorization for a Firebase project that uses the Email / Password provider for sign in.
In a response from a previous question I was able to test device authorization using a Firebase Device Flow project and the Github and Google providers successfully.
For each of these providers there is an endpoint that is used to request a device code:
Google https://oauth2.googleapis.com/device/code
Github https://github.com/login/device/code
Facebook has the following endpoint, which I have successfully tested:
Facebook https://graph.facebook.com/v2.6/device/login
Is there an equivalent device code authorization endpoint for the Email / Password provider?
EDIT: Looking at the firebase auth library I don't see a credential method that takes an access token. This implies perhaps this isn't possible. Perhaps something could be built to use the credentialWithLink method; an email would be sent with device id and the sign in would enable the polling client to receive a response with a link.
I ended up building the infrastructure myself by setting up:
Endpoints: to get a device token, sign in to validate the device code, get a custom user token for a device token
Website: for the user to enter in credentials to send to validate the device code
Client app: to request the device token, show the qr code and poll for the user token and swap the custom token using the firebase auth method signInWithCustomToken
I used firestore to store the device tokens and update them with the uid, expiry timestamp and verification state with each step.
Related
I am working on project using Next JS + NextAuth package. For user authentication we are using NextAuth with Custom Credentials provider. I am making a sign in REst API request to Firebase to get the user logged in and saving all necessary bits like Firebase tokens(access and refresh) in JWT.
The flow works.
Where i am stuck: Changing user password.
Password change is pretty straight forward using firebase client SDK. But I am using Firebase API:
https://firebase.google.com/docs/reference/rest/auth#section-change-password
the flow to change password requires:
Provide latest access token in API request above.
If the latest Access token is not provided, the API would send back error like: TOKEN TOO OLD or RE AUTHENTICATE
So this to work, we need to reauthenticate the user prior to making that change password request.
What I have managed to do:
When user request password change, user needs to provide current password.
Using the current password, i would re sign in user using API end point:
https://firebase.google.com/docs/reference/rest/auth#section-sign-in-email-password
This would work but now I need to update the latest access token in the JWT using NextAuth.
At this point i am stuck:
Refreshing the JWT using Next Auth; as soon as the user is re-signed-in and again when password is changed and new access token is sent back from Firebase.
When I try to refresh the JWT with new access token (etc) token using NextAuth client side callback: https://next-auth.js.org/tutorials/refresh-token-rotation
The application breaks due to access tokens are not synced on JWT and on firebase.
Questions:
Is my flow correct changing the user password?
Is there better way of doing this?
Any help is appreciated. Thanks
We are migrating users to the Firebase and for specific app reasons I need to create a verify token on the backend side.
So the schema is next -
I receive the user email and password from the user. Passing it to
the backend.
Backend generates a verify token, retrieves all the
info from Firebase, and informs the user.
I'm looking for some way to do it with firebase SDK, but I don't see any option.
i have built a webapp using angular material and firebase functions + realtime DB as the backend. I am using slack "Sign in with Slack" API oauth flow. All works well and i am able to generate a accessToken in the backend which i can store against the user in the realtime DB. Once that is done i make a redirect call to my angular app on the dashboard page. Currently i am passing userid in the redirect url which i use to drive user to dashboard and show his data.
This functionally works fine but is a big security issue. As i can directly type the redirect url and boom. I am in the dashboard.
So, how do i solve this? What should i be doing in the url redirect that is secure and validates the response is the the result of a valid request?
I am not familiar with the Slack OAuth SDK but in general, this is true for all OAuth providers. Ideally, at the point where you redirect to your callback URL with the slack authorization code and you exchange the auth code for a Slack access token before returning that access token to the client, you call the Slack API to get the Slack user ID with the access token and then mint a Firebase custom token with that uid. You then return that custom token to the client and signInWithCustomToken. Make sure you are checking the state field (which you set when started the Slack sign in) along with Auth code to verify that the flow started and ended on the same device.
In our app we use Firebase Cloud Messaging to send push notifications to our users. We save the registration tokens of our users in our SQL database and when a user logs in or out we use the Firebase API to manage his topic subscriptions.
This works out pretty well in most of the cases but now the topic subscriptions return the following error for some of our registration tokens:
The provided registration token is not registered. A previously valid registration token can be unregistered for a variety of reasons. See the error documentation for more details. Remove this registration token and stop using it to send messages
In which cases does Firebase delete previously registered registration tokens? I can not find any specific information about this in the error documentation.
Thanks for your help!
From the documentation:
A previously valid registration token can be unregistered for a variety of reasons, including:
The client app unregistered itself from FCM.
The client app was automatically unregistered. This can happen if the user uninstalls the application or, on iOS, if the APNS Feedback
Service reported the APNS token as invalid.
The registration token expired. For example, Google might decide to refresh registration tokens or the APNS token may have expired for
iOS devices.
The client app was updated, but the new version is not configured to receive messages.
from the below image in firebase docs they are saying that when user sign to app send their sign-in credentials with username(email) and password, they said that response will contain a custom token but for me in the response only showing access token and refresh token, if we use any of these two token for signInWithCustomToken getting an error of invalid token, please pull me out of this issue
Thanks in advance
I think you are misunderstanding this. For custom auth, you are typically using your own auth system and not Firebase. Following the docs, they assume you are using your own username/password auth system. In that case, you send both to your backend server. You verify the credentials (username, password) in your own auth system. If they are legit, you lookup the user id in your auth system database, you then use the Firebase Admin SDK createCustomToken(uid) to mint a custom token with that uid. You send it back in the response to the client. The client will then call signInWithCustomToken to complete the sign-in.