26

Could anyone provide a working sample of a Swagger security definition for firebase authentication?

On the backend, firebase ID token is verified using the firebase admin SDK:

import * as admin from 'firebase-admin';

await admin.auth().verifyIdToken(idToken);

What should be the values in the Swagger security definition to get the proper ID token for firebase?

"securityDefinitions": {
        "firebase": {
            "authorizationUrl": "https://accounts.google.com/o/oauth2/v2/auth",
            "flow": "implicit",
            "type": "oauth2",
            "x-google-issuer": "https://securetoken.google.com/MY-PROJECT-ID",
            "x-google-jwks_uri": "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com",
            "x-google-audiences": "MY-CLIENT-ID",
            "scopes": {
                "https://www.googleapis.com/auth/firebase": "Firebase scope"
            }
        }
    }

I do get a token back, however, firebase admin SDK says it's not valid:

Decoding Firebase ID token failed. Make sure you passed the entire string JWT which represents an ID token

Not sure if this is because of the wrong scopes or token types...

Jofre
  • 3,718
  • 1
  • 23
  • 31
dennis
  • 562
  • 6
  • 21
  • Your configuration seems ok, do you use the user.getIdToken() method to get the firebase token which is different from the classic google Oauth token ? – Kimor May 03 '21 at 10:14

2 Answers2

2

Using Firebase to authenticate users / Configuring your OpenAPI document explains it.
The given example definitely does not have any authorizationUrl or scopes section:

securityDefinitions:
  firebase:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    # Replace YOUR-PROJECT-ID with your project ID
    x-google-issuer: "https://securetoken.google.com/YOUR-PROJECT-ID"
    x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"
    x-google-audiences: "YOUR-PROJECT-ID"

And this firebase security definition also needs to be added into the security section, at either the API or method level:

security:
  - firebase: []

It might help to read troubleshooting JWT validation.

Martin Zeitler
  • 1
  • 19
  • 155
  • 216
1

i am putting this here just for reference

https://github.com/swagger-api/swagger-ui/pull/7699

I've started a PR that will enable login/popup that swagger uses

to be plugged in with a custom extension that does firebase specific logic

f.kowal
  • 149
  • 2
  • looks like this is merge. I'm serving swagger-via `swagger-ui-express` middleware. Is there a way to integrate it with Firebase Auth? – galah92 Apr 24 '22 at 19:39