4

I am new to django and am trying to get the user authenticated using firebase admin sdk. I am trying to do token authentication and have setup the admin sdk in my django app. Also I have received the client id token in the android app.

Now I am unable to understand how to send this id to the backend and verify it as a user and create users accordingly.I did find this answer but couldn't really understand how to go about this.

Also if a user is verified how do I add and update its data. Do I pass the token again or is there any other way to do it?

rishi95
  • 57
  • 2
  • 6

1 Answers1

1

Your Android App should send its ID token along with all requests sent to the backend server. You can decide how to include that (as a header, as part of a JSON payload etc). In the backend server, you should always call auth.verify_id_token() and return an error (e.g. 401 Unauthorized) if the token fails to validate.

Hiranya Jayathilaka
  • 7,180
  • 1
  • 23
  • 34
  • How would the token be validated in the backend. ?? @hiranya – rishi95 Mar 15 '18 at 07:14
  • Call `verify_id_token()` in Admin SDK: https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_the_firebase_admin_sdk – Hiranya Jayathilaka Mar 15 '18 at 17:23
  • does this mean you will always verify the token with every single request on the api, is this best practice for this case, i mean imagine you have millions of request to the api, then it mean you will verify the token millions times too – kazuyahiko Nov 21 '18 at 05:22
  • That is the correct approach. Think of an OAuth-secured endpoint. You would want to verify the OAuth token on each request. This is similar. ID token verification is a fairly fast operation. After the first invocation, the public keys get cached and reused for subsequent calls (no RPC calls made). You can further speed things up by implementing your own token cache if you want. – Hiranya Jayathilaka Nov 21 '18 at 21:17
  • But using an interceptor, we can catch the Identity Token https calls to get Tokens and using tha ID token anyone can send an https call to your function and tamper it. what can we do to prevent it. – Dickson Xavier Oct 17 '20 at 19:32