Simple access control with custom claim for firebase realtime database not working

Question

All the users for firebase project are authenticated using Phone provider.

I am setting custom claim for all users using C# as follows -

var claims = new Dictionary<string, object>()
{
    { "admin", true },
};
var pagedEnumerable = FirebaseAuth.DefaultInstance.ListUsersAsync(null);
var responses = pagedEnumerable.AsRawResponses().GetAsyncEnumerator();
while (responses.MoveNextAsync().Result)
{
    ExportedUserRecords response = responses.Current;
    foreach (ExportedUserRecord user in response.Users)
    {
        FirebaseAuth.DefaultInstance.SetCustomUserClaimsAsync(user.Uid, claims);
    }
}

In the firebase realtime database I have following nodes -

    {
      "Configuration" : {
        "Sync" : "XYZ"
      },
      "adminContent" : {
        "key" : "val1"
      }
    }

I am trying to configure database access rules using custom claim as -

    {
      "rules": {
    
        "adminContent": {
          ".read": "auth.token.admin === true",
          ".write": "auth.token.admin === true"
        }
    
      }
    }

I am trying to use the rule playground to verify read access to adminContent node and getting error as -

Error while validating read access using Rule Playground

The result pop up reads as -

Request - Type read Location /adminContent Data null Auth { "provider": "anonymous", "uid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" } Admin false

Response - READ Denied Line 5 (/adminContent) read: "auth.token.admin === true"

Using C# code I have verified that admin custom claim exists on the user.

Will any one pls help to fix this error?

I don't see an `admin` claim in the screenshot of your rules playground, so it seems to be expect that the read is rejected in that case, isn't it? — Frank van Puffelen, Aug 20 '21 at 18:31
Hello Frank, thank you for your time. I am not sure how to add the admin claim from rules playground. 1. User is provided with custom claim of admin; 2. Db asks for admin custom claim in the rule; 3. Rule playground provides uid of the user who has admin custom claim provided with in authentication and asks to read a node; so the rule evaluator should pass; this is how i understand. I am sure i am not following what you are saying.. Will you pls explain a little more? Other qs, is the way to specify the rule in real-time db is correct? Do i have to use "match and allow" pattern? Thank you. — Raviraj Bhalerao, Aug 21 '21 at 06:13
The link explains how to set the custom claim in the playground. Which of the steps in that link are you stuck at? — Frank van Puffelen, Aug 21 '21 at 14:36
Hello Frank, will let you on Monday. Not in office today and tomorrow. Thank you. — Raviraj Bhalerao, Aug 21 '21 at 18:18
Hello Frank, 1. The link you have suggested is using "match/allow" pattern. Do I have to use it same way? 2. In the answer of the qs in the link you gave, you have suggested to _specify the admin claim in the rules playground by selecting the Custom provider, and then editing the Auth token payload to include a token.admin property_. How to do so? I tried - _Type read Location / Data null Auth { "provider": "anonymous", "uid": "xxxxxxxxxx" } Admin true_ in the playground and it succeeded. Is that correct? — Raviraj Bhalerao, Aug 22 '21 at 14:10
Hello Frank, Which link you were referring to? I do not understand how to specify the admin claim in the rule playground. I tried with custom provider and checkbox Admin checked and the rule passes for custom claim even if that claim does not exist. There is scarce documentation available for implementing firebase in Xamarin. Your help is very much appreciated. — Raviraj Bhalerao, Aug 29 '21 at 14:33
If you are talking about admin as a custom claim, which can be substituted with any other name, then i did not get it working. If you are talking about admin as in the check box in the playground, yes it works. — Raviraj Bhalerao, Aug 29 '21 at 15:21

score 0 · Answer 1 · answered Aug 20 '21 at 18:35

The rules playground in the Firebase console doesn't read any profile information of existing users. If you want to test whether the read is allowed when a user has the admin claim, you'll need to specify that claim in the rules playground by selecting the Custom provider, and then editing the Auth token payload to include it.

Also see: Firestore online rules simulator fails with custom claims, which I just found and will actually close your question as a duplicate against.

Simple access control with custom claim for firebase realtime database not working

1 Answers1