I'm trying to enable multifactor auth in my Flutter project, which is only targeting the web platform. As I understand, the latest version of the FlutterFire SDK does not support MFA. This is why I'm trying to use the Google Identity Platform APIs to add the feature to my app.
I can already acquire a token from the REST API, but when passing it to the signInWithCustomToken() method, I always get this error: 'The custom token format is incorrect...'
Here is how I'm trying to sign a user in:
Use http package to post to https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword
Start MFA by posting to https://identitytoolkit.googleapis.com/v2/accounts/mfaSignIn:start
Get the SMS verification code from the message sent to the user's phone number.
Post to https://cloud.google.com/identity-platform/docs/reference/rest/v2/accounts.mfaSignIn/finalize
with the SMS verification code.
Get the idToken from the response body.
Pass the acquired idToken to the FirebaseAuth.signInWithCustomToken() method.
Looking at this Firebase doc, it appears that the token I get from GIP REST API is formatted differently.
Is there anything I can do so that the Firebase SDK accepts the tokens I get from the Google Identity Platform REST API?
The Firebase signInWithCustomToken() method takes a token generated by the Admin SDK, not a Google Identity token.
Tokens returned by GCIP (Google Cloud Identity Platform) are the same Auth ID tokens used by Firebase. After calling finalizeMfa you have essentially signed into Firebase, and if you begin to use the SDK, you'll see that it works at this point without any conversion.
Related
Intro
So I have read official docs Authenticating for invocation which is about helping developer testing and I got that working, but this approach requires a SA and a generated token. It seems the docs mix up "authentication" (proving identity) and "authorization" (giving access) which is not making it easier to get the whole picture.
I want to authorize Google Cloud Function with the user's ID token generated from Identity Platform. The official Firebase docs says:
"When a user or device signs in using Firebase Authentication, Firebase creates a corresponding ID token that uniquely identifies them and grants them access to several resources, such as Realtime Database and Cloud Storage. You can re-use that ID token to authenticate the Realtime Database REST API and make requests on behalf of that user."
My setup
I got the following artifacts to test function authorization with user:
A local React app with npm 'firebase' and a login form calling firebase.auth().signInWithEmailAndPassword.
firebase is initialized with config fields apiKey and authDomain.
An Express API deployed to Cloud Functions with default permissions, but I've provided the cloudbuild file with --allow-unauthenticated as an attempt to only focus on authorization.
A local Postman request setup calling the Express API with authorization type=Bearer Token and token set to the ID token received in the React app's onAuthStateChanged from user.getIdToken()
The Postman request responds with 401 Unauthorized. Notice it says Unauthorized, not 403 Forbidden.
Research
When reading up on the topic, I came across the following approaches to solve my problem:
Fetch the user id from the token and push it to a custom backend service which does admin.auth().setCustomUserClaims and then do the function request. GC should then hopefully know about the token's new claims.
Also about claims; generate a new token (based on current ID token?) and set claims.aud to the URL of the function. The ID token I'm using has claims.aud=projectname which I'm not sure what means.
Verify token in function code by using firebase admin. But the authorization of access is still not performed, so this approach seems to miss something.
What is required?
I suppose authentication is ok, Google Cloud should recognize the bearer token (?) but I've also read that there's no built-in functionality for this. Anyway, the authorization part is less clear to me when it comes to function requests on user level.
To summarize:
How should we authorize an ID token from Identity Platform to Google Cloud Functions? Could any of the three above-mentioned approaches be used?
I'm having a bit trouble understanding this predicament a REST API supporting React Native (Mobile App) with OAuth2 authentication.
I've managed to setup the OAuth2 flow and can login via OAuth2 provider. This communication is still just between the Mobile App and the 3rd party OAuth2 provider. How can I use those tokens I've obtained (and actually trust the request) to create an account in my REST API so that the server can actually generate a JWT token that will be used for future requests?
Can't seem to find an answer to this question. Would love some help with this one
Ok, I've managed to figure this one out.
To achieve what I want the Client (in this case mobile app) does the authentication flow and will receive an access_token and a refresh_token along with an id_token. The last one (id_token) contains the info about the user which the app should send to my REST API. Once the server receives it it will make an HTTP request to Google (my OAuth2 Provider) to verify that this token is in fact a valid one and issued by them.
After that I just create an account and issue my own token in response to the Mobile's App request.
It's explained here in Google Docs
Most likely all the major identity providers would follow along this path. Or, at least I'm hoping they do.
This is not exactly a problem; rather I would like to clarify Firebase authentication.
I build an Angular app and I use Firebase Authentication to sign in via Facebook (later with other providers too). Everything works fine. However, I need to verify access token. Since I get two tokens, one from Facebook and one from Firebase, should I verify both? Or verifying Firebase IdToken is enough?
Does Firebase "verify" Facebook (and other providers) access token?
Firebase Auth will verify the Facebook access token before they complete sign-in for that user and mint an ID token for that user. It is the whole point of using Firebase Auth. You don't need to manage different providers and their intricacies. They do it for you. You just get one standard credential (ID token) regardless of the underlying provider. You only need to verify that ID token.
You get the verification for free (they verify under the hood) with other Firebase Services (RTDB, Firestore, Storage). If you are using your own server, you can use Firebase Admin SDK to verify the token.
I am working on generating token for agora using appId and certificate. I am able to generate the token. But I want to validate the token, what is the Api calls, I can make, for checking whether my token is valid or not.
Note : I don't want to use any sdk. I just want plain REST APIs calls.
I am building a speech to text application for browser. Right now I am recording and sending the voice from frontend to backend, from backend calling the google api for converstion. Now the problem is processing time is high.
what I need is to call the google api from frontend itself. problem with this step is api key is getting exposed to user and leads to security issue.
So can I generate a session based auth token for speech to text api, which will be valid for client for some duration of time. any tutorial link will also do.
Just about everything Google creates supports OAuth 2.0. Text to Speech certainly does.
Authenticating is easy. Here is a link on how to use OAuth 2.0 with Google APIs.
Using OAuth 2.0 to Access Google APIs
Here is link on how to integrate Google Sign-In to your Web App:
Add Google Sign-In to Your Web App
And a link for adding OAuth 2 to your backend server in PHP:
Using OAuth 2.0 for Web Server Applications
I would use Google Accounts to start. Google Sign-In makes this easy to implement for the client. Either implement OAuth 2.0 on the backend (recommended) or on the client.
Once you complete the OAuth 2 flow, you will have a token that consists of an Access Token, Refresh Token and Client ID Token. You will use the Access Token to authorize API calls. You will use the Refresh Token to refresh the Access Token as it expires every 60 minutes. The Client ID Token will provide you with their identity information.