Ok not an expert on server side coding and stuff but have a basic understanding. Here is my question;
I have firebase triggers setup on cloud functions
Now there is a requirement that I need to communicate with external servers to retrieve some other data
So I use HTTPS triggers and I followed tutorials and managed to use express and other middlewares to get the job done
The problem is, I don't think I understand how these HTTP triggers are authenticated. I obviously want only the authenticated users to make a call to these end points and my users are either iOS or Android users.
What i have already found out:
I followed the code sample in this link: https://github.com/firebase/functions-samples/blob/master/authorized-https-endpoint/functions/index.js but I have one question
It says The Firebase ID token needs to be passed as a Bearer token in the Authorization HTTP header like this: Authorization: Bearer <Firebase ID Token>
Is this token passed automatically from iOS and android clients or do I need to manually call some FirebaseAuth get token function in the mobile SDKs and manually created this authorization bearer as a part of my request url?
You need to manually call a Firebase API to get a token to pass to your backend.
This process is documented fairly thoroughly in the documentation for the Firebase Admin SDK, which you would use to verify ID tokens. That link will give you examples for Android and iOS.
The code sample you linked to also has client code for web that does the same.
Related
Im developing a backend for mobile which is using Firebase for authentication and authorization. When the mobile ends the authentication process it sends through http methods to my backend an idToken signed by Google, which then I verify the signature and payload of the provided idtoken.
Is there a way to get the idToken from Google Firebase Console?
At the time I only figured out how to get it from mobile through a method called getIdToken for Kotlin. I can't keep getting the token this way, I need to do it without the mobile.
Thanks!
There is no server-side API to get ID tokens of your users from Firebase Authentication. You will have to get it on the client, and pass it to your server to be verified, exactly as you already seem to be doing.
That is also the process that the Firebase services and SDKs themselves follow, so you might want to reconsider whether this is feasible for your use-case too, or edit your question to better explain why it isn't possible.
I'm using firebase rest API and I'm trying to imitate firebase.auth().signOut(). I imagine I would go ahead and invalidate the firebase ID token. Is that the proper way to do so or should I just let the token expire on its own?
Just delete the client token from memory and storage so that it doesn't get used again. That's basically what the client SDKs will do. The backend doesn't retain any sense a user being signed in - either the token is valid for some API call, or it is not.
You can see for yourself what the client SDKs do, since they are all open sourced. The JS SDK can be found here.
I am currently facing the following situation.
Sending Firebase Messages via HttpCall via the google API endpoint:
https://fcm.googleapis.com/v1/projects/projectName/messages:send
Here we have to use OAuth2.0 with a valid Bearer Token like discussed in this question:
What Bearer token should I be using for Firebase Cloud Messaging testing?
After following these steps I was able to send Firebase Messages via the google API.
Now I would like to get the Bearer Token via a HttpCall without doing the manual step with the Playground https://developers.google.com/oauthplayground.
I cannot find any documentation on how to "Exchange authorization code for tokens" via simple HttpCall. I have no possibility to implement any code because I would like to send Firebase messages inside a "Dataverse Cloud Flow/PowerAutomate", therefore no possibility to load any external DLL (like the Firebase Admin Dll, which would implement this functionality).
I am not,looking for a solution which depends on external Dll like https://firebase.google.com/docs/database/rest/auth#authenticate_with_an_access_token or Pre-RequestScript
Any help is appreciated
What you are after is fundamentally not possible, since you can't hook the result of the bearer token into the same URL process to send messages. By the sounds of it you are unable to fetch one URL, process the results from that URL to pass onto the other which is what the REST API would do.
As such, you will need a secondary service that you can simply send messages to and it will invoke the Message and authentication for you, a bridge as you will. You can use Firebase Cloud Functions with an onRequest call or a simple express server on a Google Compute Engine instance (f1 free tier).
Then you can send your message request from your service to this bridge which will authenticate for you and send the message, it would be a fairly simple script to implement, specially with the admin-sdk.
I want send notifications to mobile app. For that I need JWT tokens.
In all Google's documentation says that I should use Admin SDK for obtaion tokens, but i can't do it.
How to obtain access and refresh tokens without Google's libraries?
I need URL, HTTP method and request payload.
After 3 days of searching, I found a solution in the documentation:
https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth
I have read this page a few times it implies and does not imply that if I enable authentication when deploying a Cloud Run instance I can use Firebase Auth to get through to the service.
I tried passing in a valid Firebase user idToken and did not get through. Was I doing something wrong or is the only way to get through to Cloud Run when Authentication is enabled to use google sign in?
Steps to reproduce:
When deploying to Cloud Run select Yes for authenticated
Generate a firebase auth token using REST call from here
make api call to Cloud run instance using header bellow and ID_TOKEN from step 2 above
Authorization: Bearer ID_TOKEN
According with the comment, the use case is to authorize only the registered, and the authenticated user (with Firebase auth), to use a Cloud Run endpoint deployed privately.
You can't do it directly, you need to use an additional layer. Here I propose to use Cloud Endpoint. I wrote an article on this to set up an authentication with API Key.
You have the principles of Cloud Endpoint there. You simply have to change the security definition from API Key to Firebase auth. You can found documentation here
Note: The authentication methods can evolved the next quarters. Stay tuned