Support for OAuth 2.0 PKCE - apigee

Is there support for Proof Key for Code Exchange by OAuth Public Clients on Apigee cloud? I couldn't find any reference to it on the online documentation. If not supported, is it on the roadmap?

this should be fairly simple to do, all you need is to create the proper policies in your oauth proxies... we have a solution for openid connect on top of apigee and just added this in a few hours.
PKCE just requires that you store the code_challenge in a cache you can retrieve when about to create the access token, and then it requires you be able to re create from code_verifier + method... this can be done with a node backend, or by importing the proper libraries in a JS callout ( or java callout if that is your thing.)
we used node for this

Related

Prevent front-end generated email sign-in links when generating and sending these via backend

I am using firebase admin sdk on the server to generate sign in links and send them out via custom SMTP api.
I just glanced at https://firebase.google.com/docs/auth/limits and I am well within these, but I believe there is nothing stopping a malicious third party from creating/requesting sign-in links via front end code. Is there a possibility to disable this functionality so it is only available to admin acc?
Additionally, I'd like some emails (i.e. multi factor enrolment) to not be possible, but again, given that someone can obtain some of my firebase front end details, they technically can send these?
You can restrict the API key from accessing an API (e.g. Identity Toolkit) but not disable a single method of the API for client.Sign up and delete user can be (that requires upgrading to Identity Platform) .
Firebase generates an API key when you add a web app. You can either update that or create a new key from API Credentials console.
You can then restrict what the API key in Firebase web config has access to:
However, Firebase Auth Client SDK will not work as Identity Toolkit is not selected. You'll have to proxy the requests through your backend and use a different key that can be used from your server's IP only.
Firebase Admin SDK will still be functional as usual so you can use that to perform other operations like updating/deleting users. You'll just have to write APIs on your backend for what could have been done using client SDK directly (or use Admin SDK when possible).
It might be a lot to update and I would not recommend unless you are facing rate limiting issues where Firebase Support should be able to help.

Firebase custom auth in server-to-server scenario

I need to implement a scenario where, after a file is uploaded to Google Cloud Storage, a function is triggered and processes the file. In this case, processing basically means sanitizing the file, storing it into Firestore and making it accessible via another HTTP-triggered function (a REST API of sorts).
Both user-facing ends of this process (a file upload and HTTP function) need to be secured. The process will be used in server-to-server scenario: one side is going to be a backend written in either Node.js or .NET, the other will be my Firebase solution (Cloud Storage and HTTP-triggered function as per above). In Firebase, I am going to maintain a custom set of users that should have access to the system - my idea was to use a simple system where each user will have a client id and a client secret (basically an oAuth client credentials grant type).
Based on what I read online, an only option to implement this is to use [Firebase auth with custom tokens][1]. I found lots of examples online on how to do that, but it was always about client-to-server scenarios (e.g. a Javascript web app talking to REST API). Server-to-server scenarios were not mentioned anywhere and indeed, I am unsure how to go about implementing it - I can call auth.createCustomToken(uid) just fine in my HTTP Firestore function, but there seem to be no server-side libraries I could use to call auth.SignInWithCustomTokenAsync(customToken).
To sum it up:
How can I use Firebase auth with custom tokens in server-to-server
scenario, where I need to sign in using a previously generated
custom token from a server environment?
If it is not possible,
what's the other alternative to securely implement the
above-described architecture?
I've contacted Google Support and if anyone else is struggling with this, in server-side scenarios, recommended approach is to call signInWithCustomToken endpoint in Firebase Auth REST API.

Calling Firebase Remote Config REST API without auth

I want to use Firebase Remote Config API via REST in a mobile app. Due to technical limitations, I can't use the Android/iOS SDK so I have to resort to the REST API.
However, that API requires authentication using a private key -- obviously I can't include that key in the application.
I don't need any other Firebase service at this time, just the remote config.
How can I work around this limitation? I tried following the guide at https://firebase.google.com/docs/remote-config/use-config-rest, but as mentioned it requires to first generate a short-lived OAuth2 token using the auth API.
According to the documentation on using the Remote Config REST API:
This document describes how you can use the Remote Config REST API to read and modify the set of JSON-formatted parameters and conditions known as the Remote Config template.
So the REST API is for modifying Remote Config variables, the type of action you could also do in the Firebase console. It is not for use in regular clients, which consume the configuration variables. For that you'll have to use one of the provided clients, as there is no REST API and the wire protocol is not documented.

how to make authenticated requests to Firebase Realtime Database with api key

What I want is to perform rest requests to Firebase Realtime Database from my esp8266 with micropython firmware without complex authorization process.
I know that I can turn off authorization at all in the rules but I'd prefer to have at least some basic security.
Can't I just use my Web API Key for this purpose?
Here is a doc which tells that there are 2 ways of authentication: oauth2 and generating key manually. Second way seems almost what I need but it requires setting up Admin SDK and as far as I understood still requires regenerating the key from time to time.
So eventually I have no answer to a simple question: how to authenticate rest requests to the Firebase Realtime Database in the most simple way?
The same page you linked to contains a section on using legacy tokens (also known as "database secrets" in the past). While those are not recommended anymore, they continue to work and are as simply as adding the (non-dynamic) database secret to your URLs.
I suggest you read the links at the bottom of the documentation. But I do recommend that you switch to using the OAuth or ID Token flows as those are much more secure.

Can I use Firebase Realtime database/Firestore as a OAuth2.0 Server?

I am developing an native Android application using Firebase (No other custom server, only Firebase)
And it should use other services. (like Facebook API, Twitter API, etc...)
The service providers are providing the REST Api through OAuth 2.0.
I am very newbie of the OAuth 2.0, I have no knowledge, experience.
Yesterday I tried to implement "Implicit Grant", and it works fine.
I can get access_token, and I can use the REST APIs using it.
But there is a parameter "expires_in": 604800 (7 days).
This means my customer should re-authorize after 7 days. (There is no refresh_token.)
So I am considering to change the implement from "Implicit Grant" to "Authorization Code Grant".
But I already told you, I am newbie of the OAuth 2.0. (I have no experience, this is my first time.)
If I choose "Authorization Code Grant", I should store the "code" to exchange the "access_token".
Then where should I store it?
I think I can store it in local device, but it doesn't consider security.
So I want to know can I use "Firebase Realtime database/Firestore" as a storage to store "code".
I think it is reasonable.
But I am not sure...
Since you said you are a newbie , it’s worth reading more about Oauth 2.0 especially when you want to build Oauth server , a simple google search returns
https://stormpath.com/blog/what-the-heck-is-oauthhttps://stormpath.com/blog/what-the-heck-is-oauth
Fire base database alone enough to built a sever , you need endpoints to handle incoming request for you can use Cloud Functions
So if you want to implement **Authorisation Grant ** or Implicit Flow, it needs to happen in browser ,
First you can use cloud functions to handle the incoming GET request from client (in browser)
Then you return a login page where users can login,
Then handle the auth submit request from page , authenticate it , if valid generate a code or access_token (in case of implicit flow) , store that in firebase database
Return the generated code back to client using redirect uri
Finally , if Authorisation grant flow , you need another cloud functions to handle code exchange to access token

Resources