Limit Firebase Google OAuth Authentication to specific users

Question

I'm using Firebase to handle my Google OAuth login for my website. Does anyone knew how to restrict the users who have access to the application? For example, I only want x@gmail.com, y@gmail.com, and z@gmail.com to successfully be able to log in via google to my application.

I wasn't sure if this was a Firebase or Google question, but any help would be much appreciated.

I dont know if I'm wrong, But isn't it possible to create allowed_email_list on your db and check if the entered email exists in that and then only allow login. — Jerin Joseph, May 13 '20 at 08:46

Frank van Puffelen · Accepted Answer · 2022-10-02T15:14:36.203

Firebase's authentication handles only that: the authentication of users through any of the mechanisms you enable. Whether those users have access to your data is called authorization and it is handled through the security rules of your Firebase.

So:

Authentication allows the user to identify him/herself with your application. See Firebase's documentation on authentication (for JavaScript/Web, but it exists for all supported platforms).
Authorization limits read/write access to your data to specific users, based on their authentication. See Firebase's documentation on its security rules.

Limiting access to your data to specific email addresses is certainly possible. I recommend that you read Firebase's documentation on its security rules and try to make it work based on that. If you have any problems, post what you've tried and we'll be able to help you better.

score 9 · Answer 2 · answered Jun 09 '17 at 12:11

9

These rules will allow anybody to login, but only the listed email addresses to read or write data:

{
  "rules": {
    ".read":  "auth.email == 'x@gmail.com' || 
               auth.email == 'y@gmail.com' || 
               auth.email == 'z@gmail.com'",

    ".write": "auth.email == 'x@gmail.com' || 
               auth.email == 'y@gmail.com' || 
               auth.email == 'z@gmail.com'"
  }
}

answered Jun 09 '17 at 12:11

paul

21,653
1
53
54

1

Cool, but would like to block login completely. In other words, they can go through Google Authentication, but it says you are not authorized on this page, or something. Would that use .validate somehow? Otherwise, it seems that folks can login, but they can't read/write, which is ok, but I would rather have them not login at all. – CodeFinity Jul 30 '18 at 18:36
@CodeFinity see [FrankVanPuffelen's post](https://stackoverflow.com/a/28422909/80428) about the difference between authentication vs authorisation, Firebase handle the former – Jay Wick Oct 02 '18 at 02:14

Limit Firebase Google OAuth Authentication to specific users

2 Answers2

Linked