Firebase authentication for private server - firebase-authentication

I am developoing a flutter app and want to use Firebase auth service to enable my users to signup/login using:
email/pass
google
facebook
I have a lumen backend REST server with MySQL database.
Problem: Going through loads of firebase documentation I cannot understand the whole flow of how this should work.
I can successfully create users using the app and they appear in the firebase console, however, I don't know how to enable them to securely talk to my backend server.
I would expect Firebase to release an access and refresh tokens for me to use for my private communication between the app and backend, like AWS cognito does. Instead, it issues an "ID Token" that is JWT token and should be verified on backend. But what do I do once it is verified?
How do I link my users in my database to the authenticated user? What is the thing to store in the database to map to the authenticated user?
Do I have to generate custom tokens via the Admin SDK?
Or is the ID Token the thing that should be passed from client to backend on each request and then verified? But still, what do I put from this ID token to my database to link the authenticated user with their data?

Here's how I do it now. It works great.
Install Firebase admin sdk on your backend server, if you are using php, here is what I've followed and worked flawlessly: PHP Firebase Admin sdk
Aquire firebase idToken using firebase SDK in your client (app), I've used Firebase auth package for this.
Send idToken to your backend
Use Admin SDK to verify the idToken, if verification is successful it returns a Firebase user object. And you can perform various management actions on it (modify, delete, get different data etc.).
Get uid from the Firebase user object.
Store uid in your database.
Now each time this authenticated user makes a request to your backend server, you attach the idToken to the header of the request.
Each time you verify (see step 4) the idToken on your backend server and if the verification is successful you extract the uid to know which user to query in your database.
Any comments/improvements on this are welcome :)

Related

Authorizing access to Google Cloud Functions with ID token from Identity Platform

Intro
So I have read official docs Authenticating for invocation which is about helping developer testing and I got that working, but this approach requires a SA and a generated token. It seems the docs mix up "authentication" (proving identity) and "authorization" (giving access) which is not making it easier to get the whole picture.
I want to authorize Google Cloud Function with the user's ID token generated from Identity Platform. The official Firebase docs says:
"When a user or device signs in using Firebase Authentication, Firebase creates a corresponding ID token that uniquely identifies them and grants them access to several resources, such as Realtime Database and Cloud Storage. You can re-use that ID token to authenticate the Realtime Database REST API and make requests on behalf of that user."
My setup
I got the following artifacts to test function authorization with user:
A local React app with npm 'firebase' and a login form calling firebase.auth().signInWithEmailAndPassword.
firebase is initialized with config fields apiKey and authDomain.
An Express API deployed to Cloud Functions with default permissions, but I've provided the cloudbuild file with --allow-unauthenticated as an attempt to only focus on authorization.
A local Postman request setup calling the Express API with authorization type=Bearer Token and token set to the ID token received in the React app's onAuthStateChanged from user.getIdToken()
The Postman request responds with 401 Unauthorized. Notice it says Unauthorized, not 403 Forbidden.
Research
When reading up on the topic, I came across the following approaches to solve my problem:
Fetch the user id from the token and push it to a custom backend service which does admin.auth().setCustomUserClaims and then do the function request. GC should then hopefully know about the token's new claims.
Also about claims; generate a new token (based on current ID token?) and set claims.aud to the URL of the function. The ID token I'm using has claims.aud=projectname which I'm not sure what means.
Verify token in function code by using firebase admin. But the authorization of access is still not performed, so this approach seems to miss something.
What is required?
I suppose authentication is ok, Google Cloud should recognize the bearer token (?) but I've also read that there's no built-in functionality for this. Anyway, the authorization part is less clear to me when it comes to function requests on user level.
To summarize:
How should we authorize an ID token from Identity Platform to Google Cloud Functions? Could any of the three above-mentioned approaches be used?

Firebase Authentication via Cloud Functions using Express

Im building a mobile App using React Native and CloudFunctions as back-end, which will allow only authenticated users to access the RealTime database. In authentication I would like to send to this function the email and password and then the back-end create the user, and send me back the token which I will use to make the request to api. I would to know if the is it possible and the right approach, or should I authenticate the user first directly by my App and then calls the functions with the token that I got ...
If someone have some exemplo would be awesome.
Thanks
Typically the client application performs the signin process so it can make use of the authentication token and keep it refreshed.

Facebook login via Firebase. Should I verify both Facebook access token and Firebase IdToken?

This is not exactly a problem; rather I would like to clarify Firebase authentication.
I build an Angular app and I use Firebase Authentication to sign in via Facebook (later with other providers too). Everything works fine. However, I need to verify access token. Since I get two tokens, one from Facebook and one from Firebase, should I verify both? Or verifying Firebase IdToken is enough?
Does Firebase "verify" Facebook (and other providers) access token?
Firebase Auth will verify the Facebook access token before they complete sign-in for that user and mint an ID token for that user. It is the whole point of using Firebase Auth. You don't need to manage different providers and their intricacies. They do it for you. You just get one standard credential (ID token) regardless of the underlying provider. You only need to verify that ID token.
You get the verification for free (they verify under the hood) with other Firebase Services (RTDB, Firestore, Storage). If you are using your own server, you can use Firebase Admin SDK to verify the token.

Authentication on LDAP Server using React Native and Firebase custom tokens

I'm trying to authenticate my users (from my RN application) through the LDAP server (I've already found one to try authentication here, and it works!). I can create a custom token using Firebase every time I receive the credentials of the users (username and password) and save it in the Firebase real-time database.
The main problem is that I do not know how to connect my application with the LDAP server, I investigated and found that I have to install something like openLDAP or ldapjs but I do not understand how authentication has to be
My guess is:
User login in my RN application
The RN application sends credentials to Firebase
Firebase creates a custom token (uses the Firebase Functions to generate the custom token)
Firebase returns the custom token to the RN application
The RN application sends the token to the LDAP server (the server has predetermined users and passwords for testing)
The LDAP server validates the token, therefore, authentication
LDAP server returns attributes or "not found" to the RN application
RN App grant / deny access to the app
Any help or advice will be well received, thanks :)
Sorry for my bad english.
You're almost there, but instead of sending the Firebase custom token to the LDAP server, you authenticate the user with the LDAP server before minting the Firebase token. Both of these must be done in a trusted environment, such as a server you control or Cloud Functions, and you'll typically use a Firebase Admin SDK on that environment.
So:
User login in my RN application.
The RN application sends credentials to trusted environment.
Trusted environment verified credentials with the LDAP server.
Trusted environment creates a custom token using the Firebase Admin SDK. If needed this token can contain custom attributes from the LDAP server, in the form of Custom Claims.
Trusted environment returns the custom token to the RN application
RN App grant / deny access to the app
For more on this, see the Firebase documentation on custom auth. From there:
To achieve this, you must create a server endpoint that accepts sign-in credentials—such as a username and password—and, if the credentials are valid, returns a custom JWT. The custom JWT returned from your server can then be used by a client device to authenticate with Firebase (iOS, Android, web).

Firebase custom OAuth authentication

FireBase appears to support OAuth-based authentication from Facebook, Twitter, Google, GitHub. What about a different OAuth provider? It would be great if there were a generic "OAuth" option where in addition to specifying an API Key and Secret you specified whatever other information was needed.
Is it possible to use FireBase's existing OAuth-based authentication modules without rolling my own custom OAuth authentication module for FireBase, by possibly forking from one of the "built-in" OAuth mechanisms? Which one is the most generic, if so?
I also struggled for a while now with this, and here's how I've done it for my project. Run a node.js express server that will have the role to:
get the req from your frontend app
redirect user to oauth page
return to node.js in case of success/error and compute the token needed for firebase in order to successfully login the user.
res with a cookie containing this token and redirect the user back to frontend app to complete the process.
You will have to run the node server on a different vps in order for your app to work but you'll probably need it anyway if you have a bigger app that needs to run private stuff on the backend and not everything upfront.
Firebase has 5 OAuth-based authentication, Facebook, Twitter, Google, GitHub and Custom Auth for now. Using Custom Authentication Firebase gives you complete control over user authentication by allowing you to authenticate using secure JSON Web Tokens (JWTs). So you can specify additional options to API Key and Secret. For example:
var logInAndThen = function(options) {
var secret = '********************';
var tokenGenerator = new FirebaseTokenGenerator(secret);
var token = tokenGenerator.createToken(credentials[options.userType ||
'admin'
};