Firebase Authentication for MOODLE - firebase-authentication

I have created a Moodle portal. Is it possible to have FIREBASE authentication (for Sign-Up and Sign-In) for MOODLE?

There is no default provider for Moodle sign-in for Firebase, but you can create your own custom provider that mints Firebase tokens based on your verified Moodle credentials.
The flow for this is:
You collect the user's credentials and pass these to your server.
You call the Moodle API to sign the user in.
You then mint a Firebase token from the verified information about this user.
You pass the token back to the client, and sign in to Firebase there.

Related

Use react-native-firebase/auth OAuth provider to auth Azure AD credential

I am developing a mobile with react-native (react-native-firebase/auth) and using Firebase Auth to manage user login. In the beginning, I only use the email/password to auth users and work nice.
Now I would like to let users use Azure AD. Since react-native-firebase/auth does not support Microsoft account at this moment, so I use react-native-app-auth. Afterwards, use the Microsoft credential to auth the Firebase user and link them together.
const result = await authorize(config);
const credential = auth.OAuthProvider.credential(
result.idToken,
result.accessToken,
);
const userCredential = await auth().signInWithCredential(credential);
When calling the signInWithCredential, it throw an error : [auth/internal-error].
Currently, I have backend user profile like to a Firebase user account. I don't want to complicate the backend to have multiple auth methods. Ideally, it can be done at the Firebase would be great.
Thanks.
Seems like you have to use a custom token.
Unlike other OAuth providers supported by Firebase such as Google, Facebook, and Twitter, where sign-in can directly be achieved with OAuth access token based credentials, Firebase Auth does not support the same capability for providers such as Microsoft due to the inability of the Firebase Auth server to verify the audience of Microsoft OAuth access tokens.
If these providers are required to be used in unsupported environments, a third party OAuth library and Firebase custom authentication would need to be used.
source: Firebase doc

How to use Firebase Authentication with Okta?

I am currently using Firebase Authentication in my app using the built-in OIDC providers (Google, Facebook etc.). Is it possible to use Okta as an additional OIDC provider with minimal modifications to my app, meaning Okta should behave just like any other built-in provider? Firebase Auth apis, such as firebase.auth().currentUser and firebase.auth().onAuthStateChanged() should still work.
The doc page for Custom Authentication talks about getting a custom token from an auth server, but does not clarify if that's an OAuth access token. Is there an example of Okta integration or a generic OIDC integration that works seamlessly with Firebase auth?
There's no built-in Okta provider for Firebase Authentication, but if you have an existing authentication flow for it, it's fairly easy to integrate it into Firebase as a custom provider.
It's a 6 step process:
You gather the user credentials on the client.
You pass those credentials to a trusted environment, either a server you control, or Cloud Functions.
On the server you verify that the credentials are correct according to Okta, typically by calling a server-side API they provide with a key you provide.
You then use the results of that call to mint a new ID token for the user. This is a JWT, not an OAuth access token.
You pass back that ID token from the server to the client.
The client then calls firebase.auth().signInWithCustomToken(token) with the ID token, to sign in to Firebase Authentication.

Is SSO between non Auth0 website Auth0 secured API possible?

I need to enable SSO between my customer's website and my API.
The customers website doesn't use Auth0 but allow users to login using a few different social providers like Microsoft and Google.
My API is secured using Auth0 and also supports Microsoft and Google authentication via Auth0. If my customer sends the JWT token received when the user authenticated with Google with their request to my API, will Auth0 authenticate the user even though my customer doesn't use Auth0?
Google/Microsoft auth is OAuth. OAuth is an explicit grant between the user and one particular application. It cannot and won't be shared with your app. The user would need to do a separate OAuth flow with your application to grant it access. There is no way around that.
However, given that this is an API, the more likely scenario is that the user shouldn't auth with your app at all, but rather, it should be the customer's application that auths and then works on behalf of the user. As such, you'd just set up the customer's application as a client and given them client credentials to use. Then, the user auths with the customer's website, the customer's website auths with your API via its client credentials, and then the user in effect works with your API via the customer's application as a go-between.
No , if your api application is protected by Auth0 and use external providers , after authentication from external providers and back to Auth0 , Auth0 will validate the token issued by external provider ,decode token , read claims , issue Auth0's own token and implement session management . So that your api application only accepts tokens which issued by Auth0 and validate tokens use Auth0's key-pairs , it won't accept other provider's tokens .
You can make your client application and api application both secured by one identity provider(Auth0/Google/Microsoft) .

Facebook login via Firebase. Should I verify both Facebook access token and Firebase IdToken?

This is not exactly a problem; rather I would like to clarify Firebase authentication.
I build an Angular app and I use Firebase Authentication to sign in via Facebook (later with other providers too). Everything works fine. However, I need to verify access token. Since I get two tokens, one from Facebook and one from Firebase, should I verify both? Or verifying Firebase IdToken is enough?
Does Firebase "verify" Facebook (and other providers) access token?
Firebase Auth will verify the Facebook access token before they complete sign-in for that user and mint an ID token for that user. It is the whole point of using Firebase Auth. You don't need to manage different providers and their intricacies. They do it for you. You just get one standard credential (ID token) regardless of the underlying provider. You only need to verify that ID token.
You get the verification for free (they verify under the hood) with other Firebase Services (RTDB, Firestore, Storage). If you are using your own server, you can use Firebase Admin SDK to verify the token.

Firebase authentication for private server

I am developoing a flutter app and want to use Firebase auth service to enable my users to signup/login using:
email/pass
google
facebook
I have a lumen backend REST server with MySQL database.
Problem: Going through loads of firebase documentation I cannot understand the whole flow of how this should work.
I can successfully create users using the app and they appear in the firebase console, however, I don't know how to enable them to securely talk to my backend server.
I would expect Firebase to release an access and refresh tokens for me to use for my private communication between the app and backend, like AWS cognito does. Instead, it issues an "ID Token" that is JWT token and should be verified on backend. But what do I do once it is verified?
How do I link my users in my database to the authenticated user? What is the thing to store in the database to map to the authenticated user?
Do I have to generate custom tokens via the Admin SDK?
Or is the ID Token the thing that should be passed from client to backend on each request and then verified? But still, what do I put from this ID token to my database to link the authenticated user with their data?
Here's how I do it now. It works great.
Install Firebase admin sdk on your backend server, if you are using php, here is what I've followed and worked flawlessly: PHP Firebase Admin sdk
Aquire firebase idToken using firebase SDK in your client (app), I've used Firebase auth package for this.
Send idToken to your backend
Use Admin SDK to verify the idToken, if verification is successful it returns a Firebase user object. And you can perform various management actions on it (modify, delete, get different data etc.).
Get uid from the Firebase user object.
Store uid in your database.
Now each time this authenticated user makes a request to your backend server, you attach the idToken to the header of the request.
Each time you verify (see step 4) the idToken on your backend server and if the verification is successful you extract the uid to know which user to query in your database.
Any comments/improvements on this are welcome :)