3

As the title implies, how to generate access token from username and password on the server?

There are methods to that on the client, but I can't find anything to do that directly on serve side.

vir us
  • 9,920
  • 6
  • 57
  • 66

2 Answers2

11

Using the Firebase Admin SDK to create custom tokens based on sign-in credentials is confusing, since the documentation states:

Create Custom Token

Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method.

To achieve this, you must create a server endpoint that accepts sign-in credentials—such as a username and password—and, if the credentials are valid, returns a custom JWT. The custom JWT returned from your server can then be used by a client device to authenticate with Firebase (iOS, Android, web).

There is an example of creating a custom token based on the user's Firebase uid:

admin.auth().createCustomToken(uid)

But the documentation does not show how to verify if user credentials are valid in the first place.

Since the Firebase Admin SDK does not provide methods for verifying credentials, a work around is to use a combination of the Firebase Admin SDK as well as the Firebase Auth REST API.

  1. Use the Firebase Auth REST API to Sign in with email / password
  2. Upon successful authentication, use the Firebase Admin SDK method getUserByEmail
  3. The Firebase Admin SDK UserRecord will contain the uid, which can then be passed to admin.auth().createCustomToken(uid)
Community
  • 1
  • 1
Christopher Peisert
  • 21,862
  • 3
  • 86
  • 117
  • 1
    Thanks Christopher, that seem to be the solution! Just in case I'll paste the auth endpoint here from the link so it not get lost if they move the documentation somewhere else: https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=[API_KEY] – vir us Nov 10 '19 at 22:18
  • 1
    Also as a note for those in similar situation, while I was keep digging with the integration it appeared that other apps, instead of asking for credentials, are using api token for authorization (and asking users to provide them during zapier authorization) which probably makes sense here as well. It's just a matter of implementing the corresponding logic of generating such tokens as well as user look up by the token + revoking it. Hm... probably it would be the same effort to implement oauth2 all together for the best UX. Anyways, just a note here – vir us Nov 10 '19 at 22:23
  • do you have any more details on how people are using api token for auth? Any links, blogs etc.. – Will Nov 30 '19 at 00:52
2

From what i see, you can use Firebase Flutter package to login with Username and Password.

  var credentials = await auth.signInWithEmailAndPassword(email: email, password: password);
  String token = await credentials.user.getIdToken();

Then you can pass this token in the HTTP header as Bearer token In the server side, you can just use verifyToken from Admin SDK

FirebaseAuth.getInstance().verifyIdToken(token)
sendon1982
  • 9,982
  • 61
  • 44