I am building a Firebase application (using Firestore) which needs to support custom authentication via single sign on through a third party system.
In the past, I have done this type of integration with my own authentication system. To do this, I installed the Firebase Admin SDK on my own server and used the secret key to sign a JWT that was passed back to the client, which then could be used to grant access to the Firebase application.
However, since the Admin SDK grants full access to the Firebase app, I have concerns about handing those keys over to another party. Is there a way that I can provide a secret key that grants more limited privileges to the third party? I want them to be able mint JWTs for their users to access the app, but I don't want them to be able to directly read/write from my database.
I think I've solved this by taking the following steps...
1) Access the Firebase project's IAM admin tools
2) Create a new service account for the project in the "Service Accounts" section.
3) Create a custom role in the "Roles" section and give it access to all of the Firebase Authentication privileges: https://firebase.google.com/docs/projects/iam/permissions#auth
4) Assign the custom role to the service account in the "IAM" section of the admin interface.
5) Go back to the "Service Accounts" section and create/download a private key for this service account.
6) Use this key as the credentials for the Firebase Admin SDK and create a custom token using the process detailed here: https://firebase.google.com/docs/auth/admin/create-custom-tokens
The SDK should permit creating a custom token, but it will return errors when trying to do other actions such as accessing the project's database.
Related
Background
We are building an app which authenticates end user using Firebase Authentication (backed by GCP Identity Platform). At the same time, we leverage some Google API of which permission is set based on IAM Role/Principal. That means the API call is valid only if the caller calls the API with a valid access token of authorized IAM Principal.
According to Doug in this post: How to add Firebase auth user to GCP IAM access policy "IAM doesn't know anything about Firebase Authentication users."
Already tried: Add the Firebase user as an IAM Principal when it's created. It works only for the user signs in user Google account. Otherwise, IAM will throw error "Email addresses and domains must be associated with an active Google Account, Google Workspace account, or Cloud Identity account."
Question: Is there any recommended way to authorize Firebase user accessing Google API? Do I need to build a customized authorization layer in Firebase to keep track of who can access what. Then, use that as a guard to relay the requests to the underlying Google API only if the user is authorized by the authorization logic?
I would like to login to Firebase from an ERP system.
i.e. once logged into the ERP system, that login can be used to access a Firestore db.
The Firebase docs describe a common case: "Add an additional identifier on a user".
Is it possible to use this common case to login to Firebase from the ERP system?
Control Access with Custom Claims and Security Rules
User roles can be defined for the following common cases:
Add an additional identifier on a user. For example, a Firebase user could map to a different UID in another system.
If you want to use the users from an existing authentication system to authenticate against Firebase, you'll need to implement a custom authentication provider.
With such a provider, you:
Sign the user in with your existing system in a trusted environment (e.g. on a server).
You then use the user's credentials to mint a custom JWT token.
Send that token back the client, which then finally
Uses the custom token to sign in to Firebase.
At this point, the user is signed in to Firebase Authentication in the client, and their UID (and other properties from their token) are available in the Firestore security rules.
I am building a booking system and I am using firebase as the backend. The system has two parts:
the customer end which is an app.
the business end which is a website.
I am using the same firestore database for both and also using the same Firebase Authentication project.
So I need two sets of authentication sets one for the customer end and another for the business end.
I have added two apps in a firebase project for sharing the database. My issue is the users shouldn't be able to sign in at the business web app with their credentials and vise versa.
How can I create two sets of authentication details one for each app?
Authenticating a user with Firebase does not determine whether the user has access to anything app-specific. Authentication is merely a method where the user proves who they are.
You then use this information about the user to determine what they can do in your app(s), a process that is known as authorization. Authentication and authorization go hand in hand, but are still separate steps. And Firebase Authentication only takes care of the authentication part. Authorization is up to your app.
The typical approach to your scenario is to actually have only one set of credentials for each user. If the same user needs access to both the app, and the web site, they can sign in with the same credentials. Based on your knowledge of the user, you then grant or deny them access.
Most apps have a users collection with a user profile document for each user (using their UID as the key). Then after the user is authenticated your app could read the user's profile document and read for example two fields named isCustomer and isBusiness, to determine if the user has access to the app/site. You'd also use those fields in the security rules of your database to grant/deny access.
An alternative is to give each user profile in Firebase Authentication a custom claim to determine whether they are a customer and/or a business. In that case you'd need server-side code to set the custom isCustomer and/or isBusiness claims and use this in your code (and database) to grant or deny access.
Also see:
How to create firebase admin user for authentication in java
How to use the same Firebase Auth for Two different Flutter apps?
role based authorization and role based access control flutter
I'm minting custom tokens using the node admin SDK within a cloud function. As I'm using firebase cloud functions, the default service account is discovered automatically in the managed environment.
Due to this, I'm able to sign custom tokens using the default service account. However I'm not able to verify these tokens, as the admin SDK only allows us to verify ID tokens and not custom tokens.
Is there any way that I can get access to the private key in the default service account via the admin SDK so that I can use a 3rd part library to verify them
Mainly token are used for authentication but firebase provides different
Sign-in providers like email and password, Facebook, Google, GitHub and Anonymous for authentication. Then what are this tokens used for?
Can anybody guide me to a use case where this custom tokens are useful?
Here's where I got to know about this Custom tokens:
https://www.youtube.com/watch?v=VuqEOjBMQWE&t=93s
https://firebase.google.com/docs/auth/admin/create-custom-tokens
Custom tokens are used when you want to use a Custom Auth System:
You can integrate Firebase Authentication with a custom authentication
system by modifying your authentication server to produce custom
signed tokens when a user successfully signs in. Your app receives
this token and uses it to authenticate with Firebase.
For example: Let's say you're developing an app that needs authentication, but you don't want to use the Auth Providers that Firebase supports (Google,Twitter,Facebook,etc). Let's say you want to use Instagram Auth.
Since Instagram Auth is not provided by Firebase you can't set your Realtime Database rules to auth!=null. You'll probably set it to public, which means that anyone can access your data and this is an obvious security risk(Your database is not safe at all).
So what you can do is create your custom auth system that allows a user to authenticate with Instagram and then give him a Custom Token. The user will then use this token when signing in to your Firebase App, and he will be recognized on Firebase Authentication. Which means that he can now access data that is protected by auth!=null. Your database no longer needs to be public.