Can Firebase admin SDK retrieve user auth tokens? - firebase

The firebase javascript client SDK has sustained access to, say, a facebook oauth token. My understanding is an app can just call firebase.auth.FacebookAuthProvider.credential() and if it is signed in, it will receive a facebook access token with which it can do API calls. The key point here is that the token is not stored in my database, but in firebase auth, securely.
I want my back-end to be able to make these API calls on behalf of my app. why can't I call admin.auth.facebookauthprovider.credential() to retrieve the token?
Please note I will actually be implementing this for Slack oauth. At the moment, I will otherwise have to encrypt Slack tokens in my firestore DB. This instagram firebase example does that, and I feel it defeats the purpose of firebase auth

Related

If anyone take my Google Sign in token, can he or she sign in via that access token?

I am learning react-js development, from this course I learned that I can use Firebase and Google sign as a third part storage service and sign in verification service, I draw a sign in steps with drawio diagram, as diagram below if someone take my (2) Google verification token or (6) Firebase access token can he or she sign in my website on his machine by that two tokens before expired ?
clarification about google token or firebase token security level.
That's a pretty standard OAuth flow. Firebase JS SDK does the same under the hood when you call signInWithPopup():
Getting user's access token after user's approval
Signing in with the response (see sign in with OAuth credential)
Yes, if I somehow get your Google Access Token (2), I can use it to access your account's data (for the scopes it has access to). Similarly, Firebase tokens are generally used as a Bearer token that means anyone in possession of the token gets access to the resources.
But chances of someone getting these tokens are slim to none (unless they have physical access to user's computer). As long as users do not share these tokens or any malicious script tries to read them, this flow has no issues.

Authentication for the Firebase Cloud Function-based API with API key and OAuth - getting the uid in from the request

I'm working on the custom express API based on the single Cloud Function and I'd like to secure the endpoints with the authentication. I'm aiming for implementing the API key flow and OAuth 2.0 authorization code flow. In my endpoint functions I'd need to obtain the user id somehow and I was wandering how can I archive that. Should I mix Firebase Token (createCustomToken) with these auth flows? e.g in the API key flow when user generates a new token on the frontend then on the backend I should create a Firebase Token instead of custom hashed token and store it in db?
Any ideas how to do it properly, maybe are there any other/better ways to retrieve the uid?

Is it possible to get accessToken on behalf of user's RefreshToken?

In my web application I have integrated user Firebase Authentication using Google Sign-in. After successful sign-in Firebase returns AccessToken and RefreshToken. Using this AccessToken I am able to call Google APIs (eg; calendar API).
What I wanted to know: If I store user's RefreshToken in DB, later on (may be after a week or so) application backend can get user's RefreshToken from DB and call some Google API (don't know which and how) to retrieve user's AccessToken. This AccessToken will be used to call Google APIs without any issue.
In short, is it possible for backend to retrieve user's AccessToken by using user's RefreshToken for calling Google APIs?
I cant say i have tried with something that came from firebase auth but in theory it should work
This is the call you make.
HTTP POST https://accounts.google.com/o/oauth2/token
client_id={ClientId}&client_secret={ClientSecret}&refresh_token=[REFRESHTOKEN]&grant_type=refresh_token
Love to hear if it works or not.

Is it secure to store JWT Refresh token in Firebase Auth Custom Claims?

I am building an app with firebase and MongoDB. And I would like to add JWT Refresh token in Firebase Auth Custom Claims when a user is created using cloud function. Is it secure?
I'm not 100% certain, but I do not think that would be secure. You'd essentially be adding a refresh JWT to Firebase's auth JWT. Importantly, JWTs are encoded, but NOT encrypted. If your Firebase auth token were somehow hijacked, it could simply be decoded and the refresh JWT would be exposed. I'd think the exposed refresh token could then be used to retrieve a new legit token.

Sign out user via REST HTTP API

I can sign in users to Firebase using this HTTP API:
How do I sign out users, so that the Firebase idToken and refreshToken can no longer be used?
Also, how long is the refreshToken valid for?
If my user does not use my app for weeks, can I still use the refreshToken or will I need to get a fresh Google Sign In idToken and exchange it for a Firebase (idToken, refreshToken) pair via the /identitytoolkit/v3/relyingparty/verifyAssertion API?
I don't believe there is a sign out endpoint. You could try doing a redirect to https://accounts.google.com/Logout but I suspect that is signing out from all Google services which might not be a great idea.
The whole point of Refresh Tokens is that they can be used to access resources whether or not the user is present and signed in, so your comment "How do I sign out users, so that the Firebase idToken and refreshToken can no longer be used" is an oxymoron.
A Refresh Token is theoretically valid until a user specifically revokes it, but your app should code for the possibility that Google has expired it.
The client cannot directly revoke the ID token via the REST API, but both the Firebase Auth client SDKs (ex: Android) and the Auth Admin SDK do support it. So if your client platform isn't supported, but you are able to create a small server implementation (maybe through Firebase/Cloud Functions), you can create an HTTP endpoint that triggers ID token revocation.

Resources