I'm working on an application where I'll need to help users with certain tasks as part of my customer service. Rather than build a separate admin interface, I'd prefer to have the ability to impersonate users to use the app for them.
Is this something that Firebase can do?
Yes!
Using admin SDK and service account initialize Firebase app backend with:
admin.initializeApp({
credential: admin.credential.cert(service_account_json),
})
Obtain authentication token for the user you wish to impersonate:
const userId = "[impersonating user uid string]"
const token = await admin.auth().createCustomToken(userId)
Using frontend Firebase SDK authenticate user with:
const token = "[token string obtained in step 2]"
firebase.auth().signInWithCustomToken(token)
Done! You're now impersonating selected user.
For obvious security reasons the backend endpoint, like Google Cloud Function should require authentication and verify if user requesting custom token is actually a privileged user (admin), to avoid situation where any authenticated user is able to impersonate anyone.
The Firebase Authentication client-side SDKs have no built-in impersonation mechanism. To sign in as a specific user on these SDKs, you must know that user's credentials.
The Firebase Admin SDKs supports impersonating a user in its interaction with the Realtime Database. Since the Admin SDK is meant to be run in a trusted environment (such as your development machine, a server you control, or Cloud Functions) they run with administrative privileges. To learn more about impersonating a regular user here, see the documentation on authenticating with limited privileges.
Related
I need to use the authentication service from firebase. but use my existing authorization service.
Can i use user token, sessions info from firebase.auth().onAuthStateChanged(function(user) {})
what is the best way/ways to manage these kind of use cases.
Should i also store my user details cookies, token etc?
You can implement a custom provider for Firebase Authentication. In this process:
You sign the user in to your service with their credentials as usual.
You then mint a token based on the user's profile.
The user then uses that token to sign in to Firebase.
The entire process is quite well documented on the links I included above.
We're using Expo Firebase Phone Authentication. We're able to authenticate users using the firebase sdk, so when a new phone number signs up for the first time, we add that phone number to the Users section of the firebase console. However some of these phone numbers need to be marked as admin. Is there any way to do that from the firebase console?
If you are talking about marking particular users as an admin in the Authorization tabs, then no, this is not currently possible.
If you are looking for ways to do role-based authentication, there are many tutorials available on how to do this. But to summarize, there are three main methods for role-based authentication with Firebase.
Device (Client SDK)
Server (Admin SDK)
Console
Relative Difficulty
Realtime Database
read/write¹
read/write
read/write
High
Cloud Firestore
read/write¹
read/write
read/write
Low
Token-based
read-only²
read/write
not visible
Medium
¹: Using these methods, another admin could add/remove admins from the client side if desired.
²: While the client SDK can not edit a user's authentication token, you could use a Cloud Function or your own private server to edit a user's token from the client if they have the appropriate permissions.
I would like to login to Firebase from an ERP system.
i.e. once logged into the ERP system, that login can be used to access a Firestore db.
The Firebase docs describe a common case: "Add an additional identifier on a user".
Is it possible to use this common case to login to Firebase from the ERP system?
Control Access with Custom Claims and Security Rules
User roles can be defined for the following common cases:
Add an additional identifier on a user. For example, a Firebase user could map to a different UID in another system.
If you want to use the users from an existing authentication system to authenticate against Firebase, you'll need to implement a custom authentication provider.
With such a provider, you:
Sign the user in with your existing system in a trusted environment (e.g. on a server).
You then use the user's credentials to mint a custom JWT token.
Send that token back the client, which then finally
Uses the custom token to sign in to Firebase.
At this point, the user is signed in to Firebase Authentication in the client, and their UID (and other properties from their token) are available in the Firestore security rules.
My program should allow offline login.
To do these, I trying to save password hash which created by Firebase Auth.
Then offline acquire email and password from login screen, authenticate by password hash which saved at local.
I can find export firebase auth to csv document.
To implement my use case how I do that?
If you're trying to get a list of all users and their password hash from Firebase, you can do so through the Firebase Authentication Admin SDK's listUsers method. For security reasons this SDK only runs on a trusted environment, such as your development machine, as server you control, or Cloud Functions
I have an Ionic application using Firebase so I opted to use Angularfire. Currently running Angularfire4. In my application I store the uid and I want to get email related with that uid. I use the email/password login provided by firebase. How can I translate the uid to an email?
The only method found is when using nodejs.
The only data that is exposed in the client-side Authentication SDKs is the profile of the currently authenticated user.
There is no way to look up user data for a UID with the Firebase Authentication client-side SDKs. While admittedly convenient, it would make leaking user-data way too easy.
The only way to look up user data by UID is using the Admin SDK that you found. The idea is that you run those in a trusted environment (e.g. a server you control, or Cloud Functions) and selectively expose the user data that your app needs.