When I generate a token using createCustomToken from Firebase admin sdk, how can I verify that is the valid token without using the SDK again?
I assumed its a valid OAuth token but I can not find the signing key and therefore check the integrity. I use Firebase Auth for storing the token and the admin sdk.
Custom Tokens created with the Firebase admin SDK are signed using a service account. In the default setting the service account email has the form firebase-adminsdk-bh96s#<YOUR_PROJECT_ID>.iam.gserviceaccount.com.
Under https://www.googleapis.com/robot/v1/metadata/x509/<service account email> you will find the corresponding public keys.
See also https://firebase.google.com/docs/auth/admin/create-custom-tokens
Firebase ID tokens are JWTs (JSON Web Tokens) and can be verified either with the Firebase Admin SDK, or with any other JWT parsing library.
Related
I'm working on the custom express API based on the single Cloud Function and I'd like to secure the endpoints with the authentication. I'm aiming for implementing the API key flow and OAuth 2.0 authorization code flow. In my endpoint functions I'd need to obtain the user id somehow and I was wandering how can I archive that. Should I mix Firebase Token (createCustomToken) with these auth flows? e.g in the API key flow when user generates a new token on the frontend then on the backend I should create a Firebase Token instead of custom hashed token and store it in db?
Any ideas how to do it properly, maybe are there any other/better ways to retrieve the uid?
I'm using Firebase Authentication as the authenticator for a .NET app.
I'm not using any other part of Firebase (eg. Firestore, Realtime DB) other than the Authentication.
When I log in using the firebase-ui to get a JWT token issued, it returns a "displayName" as part of the AuthResult which is basically the name field when the user first signed up.
I'm only using the Email / Password sign-in method. Where is this data stored? The Users tab on Firebase Authentication console only shows 5 fields - Identifier, Provider, Created, Signed In and User UID.
Is Firebase authentication storing the user fields like this in some sort of hidden place that I can't access unless I log in as the user?
Firebase Authentication stores user profiles in its internal database. Some of the properties are exposed in the Firebase console, but not all of them. You can get all documented properties through the Admin SDK.
I am using firebase mobile otp authentication. After successful authentication my android app receives a token which I have to verify on my django server. But while I was reading the docs of verifying this token, it comes out that if someone knows my firebase project-id, they can generate valid tokens anytime they want.
To get contec, look at the last method to verify firebase token at link
Isn't this quite risky, as once your firebase project id is known to someone, they can create fake tokens??
Also does custom authentication token help overcome this problem?
Thanks. Let me know if I have incorrectly understood the firebase token validation and it is not possible to create fake tokens once we know the firebase project-id.
ID tokens are signed by a private key owned by Firebase Auth. They cannot be forged. Note that the doc you've referenced also states:
Finally, ensure that the ID token was signed by the private key corresponding to the token's kid claim. Grab the public key from https://www.googleapis.com/robot/v1/metadata/x509/securetoken#system.gserviceaccount.com and use a JWT library to verify the signature.
A forged ID token will not pass the signature check.
The firebase javascript client SDK has sustained access to, say, a facebook oauth token. My understanding is an app can just call firebase.auth.FacebookAuthProvider.credential() and if it is signed in, it will receive a facebook access token with which it can do API calls. The key point here is that the token is not stored in my database, but in firebase auth, securely.
I want my back-end to be able to make these API calls on behalf of my app. why can't I call admin.auth.facebookauthprovider.credential() to retrieve the token?
Please note I will actually be implementing this for Slack oauth. At the moment, I will otherwise have to encrypt Slack tokens in my firestore DB. This instagram firebase example does that, and I feel it defeats the purpose of firebase auth
Mainly token are used for authentication but firebase provides different
Sign-in providers like email and password, Facebook, Google, GitHub and Anonymous for authentication. Then what are this tokens used for?
Can anybody guide me to a use case where this custom tokens are useful?
Here's where I got to know about this Custom tokens:
https://www.youtube.com/watch?v=VuqEOjBMQWE&t=93s
https://firebase.google.com/docs/auth/admin/create-custom-tokens
Custom tokens are used when you want to use a Custom Auth System:
You can integrate Firebase Authentication with a custom authentication
system by modifying your authentication server to produce custom
signed tokens when a user successfully signs in. Your app receives
this token and uses it to authenticate with Firebase.
For example: Let's say you're developing an app that needs authentication, but you don't want to use the Auth Providers that Firebase supports (Google,Twitter,Facebook,etc). Let's say you want to use Instagram Auth.
Since Instagram Auth is not provided by Firebase you can't set your Realtime Database rules to auth!=null. You'll probably set it to public, which means that anyone can access your data and this is an obvious security risk(Your database is not safe at all).
So what you can do is create your custom auth system that allows a user to authenticate with Instagram and then give him a Custom Token. The user will then use this token when signing in to your Firebase App, and he will be recognized on Firebase Authentication. Which means that he can now access data that is protected by auth!=null. Your database no longer needs to be public.