This is not exactly a problem; rather I would like to clarify Firebase authentication.
I build an Angular app and I use Firebase Authentication to sign in via Facebook (later with other providers too). Everything works fine. However, I need to verify access token. Since I get two tokens, one from Facebook and one from Firebase, should I verify both? Or verifying Firebase IdToken is enough?
Does Firebase "verify" Facebook (and other providers) access token?
Firebase Auth will verify the Facebook access token before they complete sign-in for that user and mint an ID token for that user. It is the whole point of using Firebase Auth. You don't need to manage different providers and their intricacies. They do it for you. You just get one standard credential (ID token) regardless of the underlying provider. You only need to verify that ID token.
You get the verification for free (they verify under the hood) with other Firebase Services (RTDB, Firestore, Storage). If you are using your own server, you can use Firebase Admin SDK to verify the token.
Related
I am building an ASP.NET Core 6 Web API application for mobile clients (and maybe later SPA JS app). The application should have sign-in with Google option. I also want to add my own app's custom sign up and sign in options that would also be based on JWT authentication and not cookie.
I understand that for my custom sign in flow my app will generated JWT that will be sent to the client.
But I have few questions how that works when user signs-in with its Google account:
who's responsibility is to generate the JWT when user signs-in with its Google account? Is that responsibility of Google or mine application? I don't want Google to return JWT to the client in the cookie.
Then when client is authenticated with Google, and sends requests to my application, how can my application validate JWT token it gets?
When user signs in with Google for the first time, should I automatically register that user in my application (I am using Identity framework) by taking claim values (email) from the JWT? What is the general practice here?
I am trying to understand these processes and flows so sample code is not necessary (but I do welcome it).
Ad.1. Normally, in a larger system, you would have an authorization server (AS) that would handle user authentication and the issuance of tokens. Your clients would contact only the AS, and the AS will be able to provide the user with different forms of authentication: e.g., through your website's password or through Google. The AS is the single point of issuing tokens to your clients. It can issue tokens regardless of the authentication method used. So it then doesn't matter whether the user authenticated with Google or a password, the client will still get the same access token.
Ad.2. When the AS issues token to your client, then you don't have any problems validating that token. The client doesn't care if the user authenticated with Google or not, it's not relevant in this case.
If you decide to skip using an AS and let the client receive tokens directly from Google, then you can still verify them. An ID token is a JWT and can be easily validated with a JWT library using verification keys provided by Google. Access tokens returned by Google are opaque tokens (If I remember correctly), and you need to check whether Google exposes an endpoint to verify them.
Ad.3. That is the general practice. When the user authenticates with Google and you notice that you don't have that user's data in your system, then you take the information from Google's ID token and create a user entry in your system.
Intro
So I have read official docs Authenticating for invocation which is about helping developer testing and I got that working, but this approach requires a SA and a generated token. It seems the docs mix up "authentication" (proving identity) and "authorization" (giving access) which is not making it easier to get the whole picture.
I want to authorize Google Cloud Function with the user's ID token generated from Identity Platform. The official Firebase docs says:
"When a user or device signs in using Firebase Authentication, Firebase creates a corresponding ID token that uniquely identifies them and grants them access to several resources, such as Realtime Database and Cloud Storage. You can re-use that ID token to authenticate the Realtime Database REST API and make requests on behalf of that user."
My setup
I got the following artifacts to test function authorization with user:
A local React app with npm 'firebase' and a login form calling firebase.auth().signInWithEmailAndPassword.
firebase is initialized with config fields apiKey and authDomain.
An Express API deployed to Cloud Functions with default permissions, but I've provided the cloudbuild file with --allow-unauthenticated as an attempt to only focus on authorization.
A local Postman request setup calling the Express API with authorization type=Bearer Token and token set to the ID token received in the React app's onAuthStateChanged from user.getIdToken()
The Postman request responds with 401 Unauthorized. Notice it says Unauthorized, not 403 Forbidden.
Research
When reading up on the topic, I came across the following approaches to solve my problem:
Fetch the user id from the token and push it to a custom backend service which does admin.auth().setCustomUserClaims and then do the function request. GC should then hopefully know about the token's new claims.
Also about claims; generate a new token (based on current ID token?) and set claims.aud to the URL of the function. The ID token I'm using has claims.aud=projectname which I'm not sure what means.
Verify token in function code by using firebase admin. But the authorization of access is still not performed, so this approach seems to miss something.
What is required?
I suppose authentication is ok, Google Cloud should recognize the bearer token (?) but I've also read that there's no built-in functionality for this. Anyway, the authorization part is less clear to me when it comes to function requests on user level.
To summarize:
How should we authorize an ID token from Identity Platform to Google Cloud Functions? Could any of the three above-mentioned approaches be used?
I am currently using Firebase Authentication in my app using the built-in OIDC providers (Google, Facebook etc.). Is it possible to use Okta as an additional OIDC provider with minimal modifications to my app, meaning Okta should behave just like any other built-in provider? Firebase Auth apis, such as firebase.auth().currentUser and firebase.auth().onAuthStateChanged() should still work.
The doc page for Custom Authentication talks about getting a custom token from an auth server, but does not clarify if that's an OAuth access token. Is there an example of Okta integration or a generic OIDC integration that works seamlessly with Firebase auth?
There's no built-in Okta provider for Firebase Authentication, but if you have an existing authentication flow for it, it's fairly easy to integrate it into Firebase as a custom provider.
It's a 6 step process:
You gather the user credentials on the client.
You pass those credentials to a trusted environment, either a server you control, or Cloud Functions.
On the server you verify that the credentials are correct according to Okta, typically by calling a server-side API they provide with a key you provide.
You then use the results of that call to mint a new ID token for the user. This is a JWT, not an OAuth access token.
You pass back that ID token from the server to the client.
The client then calls firebase.auth().signInWithCustomToken(token) with the ID token, to sign in to Firebase Authentication.
We're planning to use IDaaS for better identity management. We are comparing functionalities between Okta, Auth0, and AWS Cognito.
However, Facebook provides a way to refresh user token. They also have an option for extending page token. My question is if I use any of IDaaS or identity management system, can I use those functionalities.
I know I can get a refresh token from Okta or Auth0 and use it to get access token. But could not find any way to retrieve or use the refresh token from Facebook. Am I missing anything?
I have added Facebook as Social Identity Provider. I can log in using via facebook account. My applications do not know about Facebook's App Id and secret. Is it possible to use the facebooks refresh token functionalities via IDaaS?
you can use Okta's Identity Provider API to get the Facebook access token issued for a user during authentication.
https://developer.okta.com/docs/api/resources/idps#identity-provider-social-authentication-token-model
You can then use it to call Facebook APIs to get a refresh token that you can then store within Okta as a custom attribute on the (idp)user profile.
I'm assuming that you want to use the FB refresh/access token to get additional data from Facebook. Is that your use case, or is it primarily about keeping the user logged in to facebook? More detail on the use case can help me provide more relevant information.
I am developoing a flutter app and want to use Firebase auth service to enable my users to signup/login using:
email/pass
google
facebook
I have a lumen backend REST server with MySQL database.
Problem: Going through loads of firebase documentation I cannot understand the whole flow of how this should work.
I can successfully create users using the app and they appear in the firebase console, however, I don't know how to enable them to securely talk to my backend server.
I would expect Firebase to release an access and refresh tokens for me to use for my private communication between the app and backend, like AWS cognito does. Instead, it issues an "ID Token" that is JWT token and should be verified on backend. But what do I do once it is verified?
How do I link my users in my database to the authenticated user? What is the thing to store in the database to map to the authenticated user?
Do I have to generate custom tokens via the Admin SDK?
Or is the ID Token the thing that should be passed from client to backend on each request and then verified? But still, what do I put from this ID token to my database to link the authenticated user with their data?
Here's how I do it now. It works great.
Install Firebase admin sdk on your backend server, if you are using php, here is what I've followed and worked flawlessly: PHP Firebase Admin sdk
Aquire firebase idToken using firebase SDK in your client (app), I've used Firebase auth package for this.
Send idToken to your backend
Use Admin SDK to verify the idToken, if verification is successful it returns a Firebase user object. And you can perform various management actions on it (modify, delete, get different data etc.).
Get uid from the Firebase user object.
Store uid in your database.
Now each time this authenticated user makes a request to your backend server, you attach the idToken to the header of the request.
Each time you verify (see step 4) the idToken on your backend server and if the verification is successful you extract the uid to know which user to query in your database.
Any comments/improvements on this are welcome :)