16

I am developoing a flutter app and want to use Firebase auth service to enable my users to signup/login using:

  • email/pass
  • google
  • facebook

I have a lumen backend REST server with MySQL database.

Problem: Going through loads of firebase documentation I cannot understand the whole flow of how this should work.

I can successfully create users using the app and they appear in the firebase console, however, I don't know how to enable them to securely talk to my backend server.

I would expect Firebase to release an access and refresh tokens for me to use for my private communication between the app and backend, like AWS cognito does. Instead, it issues an "ID Token" that is JWT token and should be verified on backend. But what do I do once it is verified?

How do I link my users in my database to the authenticated user? What is the thing to store in the database to map to the authenticated user?

Do I have to generate custom tokens via the Admin SDK?

Or is the ID Token the thing that should be passed from client to backend on each request and then verified? But still, what do I put from this ID token to my database to link the authenticated user with their data?

Mantoska
  • 1,349
  • 1
  • 12
  • 28

1 Answers1

20

Here's how I do it now. It works great.

  1. Install Firebase admin sdk on your backend server, if you are using php, here is what I've followed and worked flawlessly: PHP Firebase Admin sdk
  2. Aquire firebase idToken using firebase SDK in your client (app), I've used Firebase auth package for this.
  3. Send idToken to your backend
  4. Use Admin SDK to verify the idToken, if verification is successful it returns a Firebase user object. And you can perform various management actions on it (modify, delete, get different data etc.).
  5. Get uid from the Firebase user object.
  6. Store uid in your database.
  7. Now each time this authenticated user makes a request to your backend server, you attach the idToken to the header of the request.
  8. Each time you verify (see step 4) the idToken on your backend server and if the verification is successful you extract the uid to know which user to query in your database.

Any comments/improvements on this are welcome :)

Mantoska
  • 1,349
  • 1
  • 12
  • 28
  • Thank you for your solution! I have a basic question! I'm trying to sync Firebase Auth to MySQL via iOS(Here's my question https://stackoverflow.com/questions/54703955/how-to-sync-firebase-auth-with-mysql-db-via-iosswift) I thought that, to verify user, at 'SignUp' step, I need to store a common key(ex. E-Mail, userID) in both Firebase Auth and MySQL in advance. But, based on your explanation, getting uid from the Firebase is the first, and storing uid in your database is the second. 'Verification' process is not the comparing whether both keys are in common or not? – Hoo Feb 15 '19 at 10:49
  • 1
    really hot topic and no any other answers(( – Ilya Sulimanov Feb 28 '19 at 02:29
  • 2
    also see https://firebase.google.com/docs/auth/admin/verify-id-tokens –  Jan 30 '20 at 22:08
  • @Mantoska thanks a lot for sharing this! question: why do you need to store the firebase uid into your mysql database? besides the idToken verification, do you make another check or query that uses the uid? – czmarc Apr 14 '20 at 19:22
  • 1
    @czmarc why you store firebase uid is explained in step 8. I.e. With every subsequent request from the app you will be sending the idToken, by verifying it in backend you will get a firebase user object which in turn gives you uid and that is how you know which record to perform action on in your mysql database. Note that idToken changes after some amount of time. That's why you always need to verify it and get uid. For the second question, yes, users or some data can be associated with uid. – Mantoska Apr 14 '20 at 23:32
  • 1
    if your website were like stackoverflow with a simple mysql (table users and questions). let's suppose that an user is correctly logged and posts a new question, it would send the tokenid in the header, the server would validate and return the uid. then, which way you would use the uid on your server? would you make a simple select query based on uid just to check if the user really exists on your users table, before inserting a new question on questions table or would you insert directly a new question assuming the uid as the 'user_id' ('questioner') on questions table, or any other way? – czmarc Apr 15 '20 at 01:34
  • This seem irrelevant to the original SO question, as you are asking about the database architecture and not the authentication. And this is your decision on how you will link the newly posted question to the registered user. – Mantoska Apr 15 '20 at 08:59
  • Why not just use the Firebase Uid for all subsequent requests, thereby not requiring the server to ping Firebase on every request? – lilbiscuit Jan 14 '23 at 12:57