Authenticate IoT Appliance Using Firebase Auth - firebase

I can't figure out how to authenticate my IoT appliance to call Google Cloud App Engine APIs I've written using Firebase Auth.
We currently do this with our browser app using Firebase Auth tokens. We use the username and password to issue a token and then use that token during the life of the session to access APIs from our browser app.
This doesn't translate well to our IoT appliance as there is no username/password - so we are thinking we will need to use Firebase custom tokens. Unfortunately these tokens expire every hour - so we will need to use the Firebase Auth APIs to renew the tokens automatically - we think this is the way this works based on documentation.
A constraint we have is that this appliance doesn't have any user experience but instead needs to be able to restart at any time and reestablish it's authenticity with the server by retrieving a fresh token.
I'm having a hard time finding an example of how to do this - and I'm hoping someone can give me a simple example or some clear direction on how to keep a authentication token current while the appliance is on and establish a new one if it needs to restart.
Thanks!

Have you looked at Cloud IoT Core as an option? It handles the authentication piece for you without user/pass (uses JWT), and is designed for IoT. A quickie Cloud Function can bring your telemetry data into Firebase/Firestore very easily.
Another option would be to create a service account with permissions to write to AppEngine. Check out this link: https://cloud.google.com/docs/authentication/getting-started for some documentation on how to authenticate using a service account.

Related

firestore security rules for server side requests

i'm flutter-fire user since last fall
Note: The server client libraries bypass all Cloud Firestore Security
Rules and instead authenticate through Google Application Default
Credentials. If you are using the server client libraries or the REST
or RPC APIs, make sure to set up Identity and Access Management (IAM)
for Cloud Firestore.
Comment above is from link by firebase team. It sounds like 'server client libraries' or apis in the comment mean the requests from outside of my mobile apps, and they gon bypassing cloud firestore security rules. But when i tried the same get request with Postman with just same request from the one in my app without permission, the response in Postman console was fine, which means that there came a permission denied error.
So, here comes my question. I hope to know what types of requests exactly are equivalent to these 'server client libraries' or 'the REST or RPC APIs' mentioned in the official reference that bypass all the security rules. Postman is exactly 'the REST', and firebase worked as i wanted(produced permission denial) perfectly in this case. So there must be some specific types that firebase team actually intended to refer to be careful of.
I understand that firebase-admin sdk is one of the possible server side libraries, but exactly the same permission or auth procedures should be required when we tried to access firebase admin sdk which can control firebase data above the security rules just like firebase team commented. So the question is focusing on possible attackers' solutions to maliciously manipulate our firebase without the proper security procedures.
Hope some firebase gurus would give cool answers for the question with awesome knowledge and experiences! Thank you in advance [:
As their name indicate, the server client libraries are to be used from a server or from a "trusted environment" like Cloud Functions.
When interacting from your server (or your trusted environment) with the Firebase server APIs you don't authenticate as you would authenticate from a client application. Instead of using user accounts created through the Firebase Authentication service (e.g. email/password account) your server should use Google service accounts. More details here in the Firebase doc.
Note that for Cloud Functions, you initialize the Admin SDK with no parameters. In this case, the SDK uses Google Application Default Credentials (exactly as indicated in the documentation excerpt you mentioned in your question).
So, when your server (or your Cloud Function) interacts with the Firebase server APIs, since it is authenticated with a service account, the requests bypass all Cloud Firestore Security Rules. In other words, if you want to implement some check to allow/forbid specific operations based on specific parameters/values, you have to implement them in your code.
For the REST API, it is the same. The REST API can be used from a client application (a web app, a Flutter app, ...) or from a server.
Depending if it is a client or a server, you should authenticate by using a Firebase Authentication ID token or a service account (together with Google Identity OAuth 2.0 token), as explained in detail in the documentation.
So, when you make a request to the API with Postman without permission, as you did, the API detects that there is no Google Identity OAuth 2.0 token or Firebase Authentication ID token associated with the request and then the Security Rules are enforced => you get a "permission denied error".
In conclusion, if you correctly define your Security Rules you should not encounter any problem with "attackers maliciously manipulating" your database.
Note however that Security Rules only based on auth != null may not be sufficient to protect your data, as explained in this answer.

Firebase Admin SDK create user using providers

I am trying to create a REST API for my app using Firebase Cloud Functions. I know how to use Admin SDK in Cloud Functions. It does have API to createUser. My front end app lets users sign in using Google and Facebook but I am not sure how to put it all together.
My app has successfully implemented Sign in with Google and Sign in with Facebook but how and what data do I transfer over to Cloud Functions (or any REST API Server for that matter) so that it could create a user in Firebase with appropriate provider.
Update for more explanation
I am creating an app for iOS and Android with some sort of cloud based backend. Right now I am experimenting with Firebase but I do not intend to tightly couple my apps to Firebase and hence do not want to pull Firebase-iOS and Firebase-Android SDKs into my app code. I want the ability and freedom to switch my backend over to AWS or Azure without changing frontend code.
The one (and only?) way is to create a server that will expose REST API endpoints and do the work on my behalf that usually SDK does. To achieve this, I am using Cloud Functions but that shouldn't matter as long as I have API to talk to actual cloud.
After putting that explanation, now my question is how do I let my users login to app using external providers like Google and Facebook and still achieve what I am trying to do. When I let users sign in with providers, I do not have their password to send to backend to create a new email/password user.
The sample code that best illustrates what you want to do here on GitHub.
It shows how to create an Express app that handles HTTP request pages. Learn more about Express to configure it for wildcards are needed.
It accepts and checks authentication tokens in HTTP requests from Firebase Authentication to validate the end user responsible for the request.

Searching for a way for firebase to connect to provider on my behalf

Before i use firebase authentication i have read that i need to connect to the provider first. Let me explain.
If i want a Facebook login to authenticate in firebase first id connect to facebook oauth using facebook apis and then after that network call succeeds then i will use firebase api with the token recieved and log into firebase app. Right ?
I am searching for a way to not have to do two network calls. Is there a way to let firebase api do the work of connecting to provider on my behalf. This would save the user a network call.

Firebase Read Only With No Authentication from App

I'm starting with Firebase, and basically, i just want to store data in Firebase, and user from my app will only do a read only. From what i read so far, it seems that firebase only works with authentication, and i've read about anonymous authentication. But i don't see the advantage of being authenticated anonymously, since basically the user will never be upgraded to "permanent" user.
All i want is the user use my app (and only through my app) to get data without needing to authenticate.
What is the best way to achieve this ? Do i create a username and password, and use this for everyone in my app ?
Do i stay with anonymous authentication ? Since i will at first use the Firebase Spark Free, and it says that only 100 simultaneous connection for realtime database, do each creation of anonymous authentication will be considered as opening a connection all the time, thus limited my app to 100 connection/user only ? Is there a limitation for Spark Free in terms of anonymous connection ?
Thank you
You can use Firebase without authentication. Some of the Youtube tutorials on the official Firebase channel even go as far as to show you how to disable authentication on the Firebase Database and Storage. Only disable read authentication for production purposes.
Storage Rules.
Database Rules.

Can Firebase be used without clients logging in?

I am working on a project that might use Firebase only for messaging. The goal is for the following to happen:
App registers with Firebase on startup
App sends Firebase token to our server
Our server sends Firebase messages to all clients via the token from step 2
Note there is no step where the user will log into anything or enter any credentials. I am a little confused if this is possible in a production app, as most Firebase documentation talks extensively about different ways to authenticate, either via username/password, OAuth, etc.
The server will be sending different messages to different clients, but that logic will be handled by the server and not by different types of registration to Firebase. I know Firebase supports groups, but to make a long story short it probably won't be leveraged.
Can all this be done on Firebase? Is GCM a better match for these requirements? I feel like we would be throwing away 95% of Firebase and just trying to force it to simplify the messaging part.
Firebase Authentication does not at all affect the way that Firebase Cloud Messaging works. FCM only cares about the token for the app on the device as a means to target the app for messages. It doesn't care at all if the end user is authenticated by any means. If you want to associate a token to a user somehow, using Firebase Authentication or some other system, that's up to you.
FCM is an evolution of GCM. They are powered by essentially the same components. Using GCM doesn't give you any additional constraints or flexibility than FCM, except for the path to integration in your app.

Resources