Login with password only - use fake email address for Firebase Authentication?

12,133 views
Skip to first unread message

Ian

unread,
Aug 30, 2016, 12:15:22 AM8/30/16
to Firebase Google Group
Hi everyone,

We are new to Firebase Authentication and would like to use it to protect our web-based demo.

For that demo we would like to send out login credentials, ideally like this:

Your password is: newyork

If Maria clicks, the website would only ask for the password and she could easily log in.

However, Firebase Authentication requires an email address. That's why our idea was to do add demo users as us...@demo.ourdomain.com, e.g. ma...@demo.ourdomain.com.

How do you think about this approach? Our app would convert the URL parameter into an email address and just ask the user for the password.

Best regards,
Ian

Kato Richardson

unread,
Aug 30, 2016, 12:10:45 PM8/30/16
to Firebase Google Group
Hi Ian,

If you want to use custom authentication methods, then you should probably sign your own tokens, which will allow you complete control over the process. It's a small learning curve in return for immense flexibility and options.

Also, you may want to look at Anonymous auth if you're looking for a friction-free way to track user identity.

☼, Kato

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/5f1905c6-6256-4fe4-9352-be76c06fa1eb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

Kato Richardson | Developer Programs Eng | kato...@google.com | 775-235-8398

Ian

unread,
Aug 30, 2016, 3:38:45 PM8/30/16
to Firebase Google Group
Hi Kato,

Thanks for your message and support!

We planned to use anonymous auth and also wanted to offer the option to connect a social login like Google and link it to the account. Our SPA connects to an API behind Google Cloud Endpoints v2 (currently in alpha) which seems to support Firebase Authentication verification.

Honestly, we are a bit lost, authentication and authorization are tricky. Is this how it would work?
  1. Maria opens the link http://demo.ourdomain.com/?user=maria in a browser.
  2. http://demo.ourdomain.com/?user=maria contains the Firebase Authentication JavaScript and authenticates her anonymously. (Q: Anonymous users don't show up in the Firebase Auth Users list as long as they haven't actually logged in, right?)
  3. http://demo.ourdomain.com/?user=maria asks for a password, which Maria enters and submits. On submit a request is sent to our API which verifies her login credentials and provides a token. (Q: This solution would require a user account management separately from Firebase Authentication, our server could not connect to Firebase to look for username and password there, right?)
  4. The token from the backend would be sent to Firebase and a new user with the given UID would be created and logged in, Maria could start using our SPA.
  5. When she decides to add her Google account, she would log into her Google account via Firebase and after she returns successfully from Google, her Google account would be linked to the UID initially provided by our API server. (Q: Do linked accounts show up as a single entry in Firebase Auth Users?)
  6. Subsequent requests to our API would require authentication and Google Cloud Endpoints v2 would allow or reject requests to these resources accordingly.
If we would send 'ma...@demo.ourserver.com' instead of just 'maria' to Firebase, we could manage these user accounts in Firebase only and would not need a backend for authentication, right? We also wanted to use Firebase to store audiences for access control which is also supported by Cloud Endpoints v2.

Any help and advice is greatly appreciated!

Best regards,
Ian

On Tuesday, August 30, 2016 at 6:10:45 PM UTC+2, Kato Richardson wrote:
Hi Ian,

If you want to use custom authentication methods, then you should probably sign your own tokens, which will allow you complete control over the process. It's a small learning curve in return for immense flexibility and options.

Also, you may want to look at Anonymous auth if you're looking for a friction-free way to track user identity.

☼, Kato
On Mon, Aug 29, 2016 at 9:15 PM, Ian <flo...@scheel.eu> wrote:
Hi everyone,

We are new to Firebase Authentication and would like to use it to protect our web-based demo.

For that demo we would like to send out login credentials, ideally like this:

Your password is: newyork

If Maria clicks, the website would only ask for the password and she could easily log in.

However, Firebase Authentication requires an email address. That's why our idea was to do add demo users as us...@demo.ourdomain.com, e.g. ma...@demo.ourdomain.com.

How do you think about this approach? Our app would convert the URL parameter into an email address and just ask the user for the password.

Best regards,
Ian

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/5f1905c6-6256-4fe4-9352-be76c06fa1eb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Ian

unread,
Sep 3, 2016, 10:53:17 AM9/3/16
to Firebase Google Group
Hi Kato,

Using a fake email address is quite hacky but fairly easy actually as you certainly know:

var email = document.getElementById('email').value + '@demo.ourdomain.com';

It should also be no problem to set var email to <username>@demo.ourdomain.com when the corresponding URL parameter is present.

However, you wouldn't recommend this solution? For real accounts of actual users that signed up to our service, we would require real email addresses or social logins via Firebase, of course.

By the way, when using Firebase email/password authentication is it possible to modify the currentUser object somehow somewhere to provide a displayName, for example?

{
  "displayName": null,
  "email": "ma...@demo.ourdomain.com",
  "emailVerified": false,
  "photoURL": null,
  "isAnonymous": false,
  "uid": "9xYQklxxd8hWmReqQTgq3K0w06W2",
  "refreshToken": "AJilOCNcRGTd8mj_..._kYPunlfBbpcit2PNKe2YoPG9UyqJ5h8gJ5QRAEg",
  "providerData": [
    {
      "uid": "ma...@demo.ourdomain.com",
      "displayName": null,
      "photoURL": null,
      "email": "ma...@demo.ourdomain.com",
      "providerId": "password"
    }
  ]
}

Best regards,
Ian

Kato Richardson

unread,
Sep 6, 2016, 12:05:54 PM9/6/16
to Firebase Google Group
Hi Ian,

Adding on custom info like displayName is very easy if you sign your own tokens. I'd encourage you to explore this as it's going to be a bit more elegant and is a solution designed for the sorts of things you're trying to accomplish.

If you're going through these hoops just to link accounts, you should know that we already have tools for this, and you can probably get that working with anon and not bother with any customization here.

Note that you can also just store display names and other profile data in the Database and fetch it from there by uid.

It's hard to guess which option would work best for you without a solid analysis of the use case and constraints. It feels like you're focused on potential solutions here, but understanding the goal may help us suggest the right direction.

More CIL below.

On Sat, Sep 3, 2016 at 7:53 AM, Ian <flo...@scheel.eu> wrote:
It should also be no problem to set var email to <username>@demo.ourdomain.com when the corresponding URL parameter is present.

Works. But probably a hacky solution for a solved problem.

By the way, when using Firebase email/password authentication is it possible to modify the currentUser object somehow somewhere to provide a displayName, for example?
 
No. Sign your own tokens if you need to add info into the token. Or just store the data in the Database and access it by uid.


Honestly, we are a bit lost, authentication and authorization are tricky. Is this how it would work?

Basically. It feels like you're mixing up custom auth, email/password auth, and anonymous auth here. We need to pick one to tackle.
  1. Maria opens the link http://demo.ourdomain.com/?user=maria in a browser.
  2. http://demo.ourdomain.com/?user=maria contains the Firebase Authentication JavaScript and authenticates her anonymously. (Q: Anonymous users don't show up in the Firebase Auth Users list as long as they haven't actually logged in, right?)
  3. http://demo.ourdomain.com/?user=maria asks for a password, which Maria enters and submits.
This isn't needed if you are using Anonymous Auth. The whole point is that it's zero friction--nothing to enter.
  1. On submit a request is sent to our API which verifies her login credentials and provides a token.
There's no verification for Anonymous auth. It's anonymous. But it does assign her a uid and a token.
  1. (Q: This solution would require a user account management separately from Firebase Authentication, our server could not connect to Firebase to look for username and password there, right?)
You can store usernames and password in the db if you want and lock them down by security rules so only your server can access. You'd want to take the usual precautions (e.g. bcrypt). You'd only need this if you're working with custom auth.

  2. The token from the backend would be sent to Firebase and a new user with the given UID would be created and logged in, Maria could start using our SPA.
Here you've switched to signing your own tokens. None of the steps here are necessary for that process. You can set it up any way you want.
  • Something contacts your server with verification credentials (e.g. email/login and password/key/etc)
  • Your server sends them back a custom token
  • The client app calls authWithCustomCredentials using that token
To verify a user at the server, you can do this two ways:
  • Have them write to a secured database path and monitor this on the server (preferred, see firebase-queue)
  • Have the client pass the token generated in the previous bulleted list back to the server and have the server call verifyTokenId() on that.

  1. When she decides to add her Google account, she would log into her Google account via Firebase and after she returns successfully from Google, her Google account would be linked to the UID initially provided by our API server. (Q: Do linked accounts show up as a single entry in Firebase Auth Users?)
I believe they show up as a single entry in Firebase Auth Users. That probably doesn't matter much to your app though as you can't list the users there. That's purely for authentication purposes. You'll want to create your own user profiles in the Database or elsewhere for listing, querying, and connecting things at the client.

There's way too much to tackle here to possibly do it in this format. It's just going to lead to a lot of confusion between the various approaches. I'd recommend focusing on some specific use cases to solve and asking those as very focused, separate questions. 

Alternately, just starting with a concise, detailed goal and we can work backward to one of the solutions.

☼, Kato
Reply all
Reply to author
Forward
0 new messages