1

Web client signs in successfully directly with firebase. Now it wants to talk to my own nodejs (non-firebase) server. How does my server verify the web-client is really signed in with firebase? Note: my server doesn't manage any user account passwords.

https://firebase.google.com/docs/auth/admin/custom-claims Seems to use this flow:

For simplicity, let me call my good web client Bob.

Step 1: Bob needs to send password + email to my own (non-firebase) server. Now my server knows Bob is Bob, and gives Bob client-side a token "bob-token"

Step 2: Bob on client-side calls firebase firebaseTokenFromFirebase = firebaseFunction.signInWithToken("bob-token")

Step 3: Bob sends firebaseToken to my own server

Step 4: On my own server, I can make a verification request directly to firebase bobReallySignedIntoFirebase = firebaseAdmin.verify(firebaseTokenFromFirebase). And if ok, now my server knows Bob really signed into Firebase.

But question: My server doesn't manage passwords at all. So my server cannot verify "Bob is Bob" in Step 1. Is there a way for my server to only rely on Firebase?

Ideally, Bob signs in directly with firebase, and receives an asymmetrically signed JWT (containing Bob's basic info) that can be independently verified by my own server (my server only needs the public key; firebase produces the JWT with the private key).

Morris
  • 948
  • 2
  • 9
  • 22

1 Answers1

1

There is no way to sign a specific user in to Firebase from the Admin SDKs, as the Admin SDK doesn't have the concept of a current user.

The idiomatic approach is to sign in your users in their client-side code with a Firebase SDK, and then pass the ID token to your server when you need to establish identity/authority. This is what most Firebase SDKs and services also do under the hood.

If you want to sign your users in on your server, you'll have to call the Firebase Authentication REST API.

Also see:

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thanks, @Frank. Your suggestion is good. But I believe here is another idiomatic solution which serves my case even better: https://firebase.google.com/docs/auth/admin/verify-id-tokens#web Essentially, the client-side still directly authenticates with firebase. My backend then asks my client-side to send this firebase token, and then my backend can independently verify the token is valid, and my backend never needs to witness (like forwarding) user passwords. – Morris Feb 12 '22 at 20:08
  • Ah yeah, if this is not about signing the user in to the server, but about verifying the authorization of a user that was already signed in on a client, then that'd indeed be the way to go. – Frank van Puffelen Feb 12 '22 at 20:31