Custom JWT token on server

[Jakub Stransky]

Hello experienced Firebase users,

I am new to firebase and I would need to generate a custom JWT token on server and get that distributed further down to clients which can log from Mobile (android, iOS) and web + need some custom email/password access.

I am unclear about some basic flows with firebase auth. If someone could point me to some good book, documentation etc that would be great.

- Lets consider scenario that user logs via Facebook provider from android mobile device.

User logins via client library to facbook, gets back Token Id and follows callback link to server where can get custom JWT which is returned to him. Is that flow correct? 

How there can get custom entities about user which might be needed for generating JWT token? Is there expected that all be fetched back from firebase DB?

What if there is necessity to manage roles for users? Is there possible to add custom column to firebase auth "table" ? Or there needs to be a mapping table UID to custom data?

When I have custom provider (not FB, Twitter, ...) do I understand correctly that I need to mange password/user management on my own? What happens if user login next time via e.g. facebook? Will be there two user or are merged to one? 

And finally, On server firebase client when using auth.createCustomToken where I can get the secret used for signature?

Thanks for clarification

[Kato Richardson]

Hi Jakub,

There is no "Firebase Auth table" you can access to manage credentials for OAuth. You can store roles and profile information (i.e. entities about user) in the Database and this is an excellent way to go. Role-based security can be enforced by Database or Storage security rules. 

If you're already using Firebase Database, you probably don't need custom auth tokens. Custom authentication tokens are mainly intended for use as a way to implement your own authentication schema. The workflow is documented here and looks basically like this:

• Client authenticates via your custom workflow (or third-party OAuth in special cases)
• Your server signs a JWT token verifying they have authenticated
• Client receives the JWT token from server
• Client calls authWithCustomToken() or equivalent and passes the JWT token
• Client is assigned a Firebase OAuth token

Generally speaking, you don't want to merge different accounts (e.g. email/password and a Facebook authentication). It's uncommon to need this, unless you're doing some sort of social aggregation tool (e.g. combining data from Facebook and LinkedIn). However, Firebase does provide tools for combining these, documented here.

☼, Kato

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/798da18b-d07e-4935-a345-22ba16131ec2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Kato Richardson |

Developer Programs Eng |

kato...@google.com |

775-235-8398