I want custom firebase authentication where a user manages the roles of subordinate users. I need guidance on understanding on how to implement my own backend authentication system. Everywhere the documentation keeps mentioning that 'send the username and password to your backend that will generate a custom token'. What is this backend? where do I pursue this? My knowledge domain is firebase, firebase functions, angular 2/4, ionic2 for this discussion... thanks
To use custom authentication, you need to create a JSON Web Token (JWT) on your existing backend server, after you have used your existing backend server to validate the username and password of the user (or however else your backend server validates your users).
To create that JWT, use the configuration described at https://firebase.google.com/docs/auth/admin/create-custom-tokens?authuser=0#create_custom_tokens_using_a_third-party_jwt_library
There is PHP and Ruby code available at that page, for anyone using a language that does not have an SDK available from Google, but which does have a JWT library available.
The JWT is signed with your private key, which you can obtain as indicated at https://firebase.google.com/docs/auth/admin/create-custom-tokens?authuser=0#create_custom_tokens_using_a_third-party_jwt_library
Although that page describes initializing the SDK, this section also has instructions for creating the private key for your service account using the Firebase console at https://console.firebase.google.com/u/0/project/_/settings/serviceaccounts/adminsdk
You will have to send the email password to the firebase sdk in using javascript in web then when the sdk success functions tell that the user has been authenticated the web page will send result to your backend server (can be nodejs or php etc) from there you have to manage your own database to handle all the role base access.
Firebase is basically authenticating the user for you and telling you that you can identify this user using the following userid and then build your own system.
Firebase has access rules but those you have to define first you cannot fully customize them for each user.
For password auth see this:
https://firebase.google.com/docs/auth/web/password-auth
An easy way to do custom auth with Firebase is using an external identity provider. Auth0 is an example of such a provider.
Guide:
https://shusson.info/post/using-firebase-and-auth0-together
code:
https://github.com/shusson/firebase-custom-auth
Related
I'm building a social media app with a focus on group chatting. I am working on creating a new user. Firestore provides this function to begin the process of creating the user from the client:
auth.createUserWithEmailAndPassword
However, I read that it's safer to try to minimize what lives on the client side and do most of the app's work on the server side. Should I use the function above (on the client) or should I make a custom function that passes the email and password to the server and create the user there?
Firstly, auth.createUserWithEmailAndPassword is not a Firestore method. It's a Firebase Auth method. Firestore is a database, Firebase Auth is an authentication service. It's good not to mix up their responsibilities.
The options you're proposing are not, in practice, any different in terms of security. That's because the Firebase Auth service provides a public REST API for creating new user accounts that's accessible to the world if you've enabled email and password authentication for your project. It doesn't really matter if you invoke that from a frontend or backend - the net result is the same.
Do whatever you find most convenient. Firebase Auth was designed so that users can create their own accounts using the authentication providers that you enabled. Adding another backend service to that seems to just add more work for no extra benefit.
I am trying Firebase to authenticate users for a website that was initially built on Flask (using the flask login workflow with a postgres DB). However, I am not sure that I have a correct understanding of what would be considered best practices when using Firebase.
I read through this article, which I think has led me down a suboptimal path when it comes to actually managing users.
My questions are:
Should all the Firebase authentication be handled in the javascript?
If so, should I use the request.headers on the backend to verify the identity of the user?
Any tutorials (aside from the Firenotes one, which I am working through) much appreciated.
Should all the Firebase authentication be handled in the javascript?
No, it doesn't have to be JavaScript. But in general, you'll find that most apps using one of the existing Firebase Authentication providers handle the sign-in of the user in their client-side code, with calls to the authentication server.
If so, should I use the request.headers on the backend to verify the identity of the user?
When calling REST APIs Firebase itself passes the ID token of the authenticated user in the Authorization header, so that's a valid approach indeed. On the server you can then verify that the ID token is valid, and decide what data this user has access to.
Firebase provides a client sdk for web and an admin sdk for backend server to create a user session. In a microservices architecture based cloud application, do we have to create a custom token at the server side when a user tries to log into our system and then allow the client using java-script based client sdk to create another id-token with the custom token for continuing the client interaction within that session ?
Why do we need two tokens i.e Custom Token(Admin SDK) and Id Token(Client SDK) for user authentication ?
You need only one of the two tokens for each user, depending on whether you're using a custom provider to sign that user in, or one of the built-in providers.
If you use one of the existing providers you'll use its ID token.
If you create a custom provider, you'll create your own (custom) token for the user. This custom token essentially takes the place of the ID token that you'd use with the default provider.
To learn all about the various token types that Firebase Authentication has, read the blog post Demystifying Firebase Auth Tokens.
We are working on an application that uses firebase for authentication purposes. We implemented the authentication mechanism in our angular application and everything works fine. what we want now is to add custom claims to the JWT tokens generated once the user is authenticated. We know about the Admin SDK here:
https://firebase.google.com/docs/auth/admin/custom-claims
but this requires the addition of a web service. is there a way to configure firebase via the portal to add a default custom claim for all existing users and new users. what we want is to add an "id" field with random GUID. is it possible to use the Admin SDK to configure this behaviour once and for all?
Thanks in advance.
There is no way to add custom claims without using the Admin SDK. This requires that you run a script on a trusted environment, such as your development machine, a server you control, or Cloud Functions for Firebase. The latter is probably your best option if you want to do this regularly, and don't have your own server.
Firebase Rest API mentions that we can pass CREDENTIAL to provide access to authenticated nodes. However I was not able to find documentation on where I can find these credential or generate these credential. Custom tokens generated using NodeJS firebase-admin client also don't work.
https://firebase.google.com/docs/database/rest/save-data
https://docs-examples.firebaseio.com/rest/saving-data/auth-example.json?auth=CREDENTIAL
If you scrolled down a little on the same page, you would find the answer:
In the following example we send a POST request with an auth parameter, where CREDENTIAL is either our Firebase app secret or an authentication token...
Firebase secrets are legacy credentials you can find/create under Project settings - Service Accounts in the Console. Using one as the auth parameter gives the caller administrative access.
Or you can use a service account to generate admin level access tokens instead of relying on the legacy secrets. See here for the Java implementation.
Or if you have an authenticated user – for example you're implementing an API a client apps call via HTTP, passing along their current access token –, you can use that token directly to impersonate the user.
The custom authentication tokens serve a completely different purpose and are part of a different sign in flow. Therefore they do nothing via the REST API.