I would like to only allow authenticated user from one project to be able to read data from another project, but nobody else can access the data.
How can I accomplish that ?
Thank you
Auth does not transcend project boundaries. You will need to authenticate the user into the project whose data you want to access. If you don't want to / can't do so directly, you will need to verify the token of Project A and then mint a custom token for Project B in a trusted environment such as a Cloud Function.
Related
I am trying to figure out how OAuth2.0 (or something else entirely) can be used to handle a situation where a user who is calling a backend api, can only retrieve data relevant to that user.
For example:
Lets say I have a bank application, and the customer account information is located at "bank.com/account/{customerId}". How do I restrict access to this, so that other customers cannot see each-others bank account information? As anyone with an access token could get anyone's account info and Roles can't solve this.
I have come up with a potential solution to this problem using Firebase JWTs which is to access the header of the incoming request and compare the User ID in the body of the token to that of the data being accessed.
My gut tells me I am missing the bigger picture, as this problem must be a common phenomena, and I could not find the answer elsewhere.
My Environment is a Spring Boot backend utilizing the Oauth2.0 resource server pointing to the firebase project. Backend is connected to a Postgres database. Frontend is an Angular Application.
To ensure users can access only their own resources, you must write it in your Spring Boot application. OAuth2 only provides you an access token which you can use to find out who is calling you and what scopes he has granted.
But the security logic is up to you to implement. If you have a userId in URLs, you should check that it matches the userId from access token. If user data is stored in a database, you will probably need to add conditions to your SQL queries such as WHERE user_id = :userId.
You can also use scopes from an access token to grant only partial access to user's resources. It's useful if another application can access user's resources on his behalf. Such as reading person's name and email when logging in somewhere using Google/Facebook/Github.
I am building a booking system and I am using firebase as the backend. The system has two parts:
the customer end which is an app.
the business end which is a website.
I am using the same firestore database for both and also using the same Firebase Authentication project.
So I need two sets of authentication sets one for the customer end and another for the business end.
I have added two apps in a firebase project for sharing the database. My issue is the users shouldn't be able to sign in at the business web app with their credentials and vise versa.
How can I create two sets of authentication details one for each app?
Authenticating a user with Firebase does not determine whether the user has access to anything app-specific. Authentication is merely a method where the user proves who they are.
You then use this information about the user to determine what they can do in your app(s), a process that is known as authorization. Authentication and authorization go hand in hand, but are still separate steps. And Firebase Authentication only takes care of the authentication part. Authorization is up to your app.
The typical approach to your scenario is to actually have only one set of credentials for each user. If the same user needs access to both the app, and the web site, they can sign in with the same credentials. Based on your knowledge of the user, you then grant or deny them access.
Most apps have a users collection with a user profile document for each user (using their UID as the key). Then after the user is authenticated your app could read the user's profile document and read for example two fields named isCustomer and isBusiness, to determine if the user has access to the app/site. You'd also use those fields in the security rules of your database to grant/deny access.
An alternative is to give each user profile in Firebase Authentication a custom claim to determine whether they are a customer and/or a business. In that case you'd need server-side code to set the custom isCustomer and/or isBusiness claims and use this in your code (and database) to grant or deny access.
Also see:
How to create firebase admin user for authentication in java
How to use the same Firebase Auth for Two different Flutter apps?
role based authorization and role based access control flutter
CONTEXT:
In firebase settings, there's a permissions tab. This shows the users/emails that are associated with accounts that have admin access to the firebase project and console.
I could have sworn I once saw a document describing a method or some way of checking if a user account in firebase auth is also an administrator of the firebase project.
I seriously can't tell if it was in a dream (yes I dream code) or if I actually saw it. I often work late nights and fall asleep in front of my computer.
Question: Is there any way to tell if a user is also an administrator of the firebase app?
IE the user email matches an email that’s listed in the IAM/access management section of firebase as an 'owner' role?
Im currently writing an admin panel for my app, so such a feature would be very useful.
If such a thing does not exist, can anyone suggest an alternative way to manage and authorise users that are capable of logging into the admin dashboard to have control over the app? I already understand custom claims so I will use them if no better solution is suggested.
Well, using only the FirebaseAuth through your app, I don't think you can (as far as my knowledge goes). But you can easily implement the Admin SDK to manage your Custom Claims. Basically, you can use the Admin SDK and find out which "role" you want to access.
Referencing Firebase
Custom claims can contain sensitive data, therefore they should only
be set from a privileged server environment by the Firebase Admin SDK.
and
Custom claims can only be retrieved through the user's ID token.
Access to these claims may be necessary to modify the client UI based
on the user's role or access level. However, backend access should
always be enforced through the ID token after validating it and
parsing its claims. Custom claims should not be sent directly to the
backend, as they can't be trusted outside of the token.
Once the latest claims have propagated to a user's ID token, you can
get them by retrieving the ID token.
Therefore, you'll only need the FirebaseAuth implemented on your app's (client), but will need an extra implementation using a server.
Please see the Firebase use cases, they'll probably fit your needs, and you can pick the one that is "easier" for you.
It turns out it can't do what I wanted in the first place because it's only available on certain triggers.
Here it is: context.authType
https://firebase.google.com/docs/reference/functions/functions.EventContext#.authType
The level of permissions for a user. Valid values are:
ADMIN Developer user or user authenticated via a service account. USER
Known user. UNAUTHENTICATED Unauthenticated action null For event
types that do not provide user information (all except Realtime
Database).
Although it would be great if we could get this information on callable functions and firebase triggers because it would help further secure hosted backend admin apps for customer service or developers, who have high-level access to admin functions. This variable seems to not be available on callable functions but is available on newUser trigger - which is strange, because how can user signup ever be authenticated anyway?
I am building apps using Firebase (Storage, Functions, Hosting, Real-Time Database and Firestore). In the apps, the user authenticates using a third-party library (like Google connect but not Google).
I don't know how to protect my database because I am not using Firebase Authentication. How can I use this third party authentication to protect data for example? Maybe I need to create a user manually and attach information to him so that this info will be available in the Security Rules editor?
Thanks
I don't think you can secure your database or storage without a form of authentication.
Now firebase provides multiple methods of authentication (email , google, custom , anonymous .....).
What you might want:
You might want to add custom login to your users in which they get registered with extra data that you provide. And they will still get a user id that you will use to check in the rules to allow read and writes along with some custom data you provided while registration (so you can check these data from the rules).
I have an Ionic application using Firebase so I opted to use Angularfire. Currently running Angularfire4. In my application I store the uid and I want to get email related with that uid. I use the email/password login provided by firebase. How can I translate the uid to an email?
The only method found is when using nodejs.
The only data that is exposed in the client-side Authentication SDKs is the profile of the currently authenticated user.
There is no way to look up user data for a UID with the Firebase Authentication client-side SDKs. While admittedly convenient, it would make leaking user-data way too easy.
The only way to look up user data by UID is using the Admin SDK that you found. The idea is that you run those in a trusted environment (e.g. a server you control, or Cloud Functions) and selectively expose the user data that your app needs.