Server-side access control: Use 'aud' in Firebase Auth JWT?

[Ian]

Hi everyone,

We are new to Firebase Auth but so far it works really well.

Now we want to implement server-side authorization with Google Cloud Endpoints v2 which supports Firebase Authentication. We were told this:

Scopes can be put in audiences, where Endpoints V2 will make sure the incoming JWT token has at least one of the audiences listed in the swagger configuration.

How can we add audiences (I assume he was referring to aud) to a Firebase Auth JWT? Would we be required to sign our own tokens on the server side or can we influence the aud attribute of default Firebase Auth? Ideally, we would put roles and maybe also URL paths inside the JWT that Cloud Endpoints or our backends could use to accept or reject a request to the server.

Please let us know, if you would recommend a different solution for our use case.

Best regards,

Ian

[Jacob Wenger]

Hey Ian,

Can you tell me who told you that and point me to where they told you? I think I'm missing a lot of context around what you are asking. 

The TL;DR on the explicit question you are asking is that the aud claim is reserved and not configurable by an end-developer like yourself. It should always be equal to 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit' or else the token will not be valid.

So, I think something is being lost along the way here and it would be great if you could provide some more context around what you are actually trying to do. It may also be good for you to read and fully understand our server auth docs in case you haven't already.

Cheers,

Jacob

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/1d682013-a1d2-4370-80ce-d349784bcb53%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ian]

Hi Jacob and Dan,

@Dan, I saw your post in the other thread related to Cloud Endpoints v2, so I hope it's OK to put you on CC here. :-)

Below question was answered by Mingliang during the alpha period. I quoted his answer in the initial post and wonder if there was a misunderstanding:

Can we use scopes for authorization with Firebase Auth and Cloud Endpoints v2, and if yes, how? (see example below)

 

  type: apiKey
  name: api_key
  in: header
petstore_auth:
  type: oauth2
  authorizationUrl: https://auth.firebase...?
  flow: implicit
  scopes:
    write:pets: modify pets in your account
    read:pets: read your pets

api_key:

Best regards,

Ian

On Thursday, September 29, 2016 at 6:57:30 PM UTC+2, Jacob Wenger wrote:

Hey Ian,

Can you tell me who told you that and point me to where they told you? I think I'm missing a lot of context around what you are asking. 

The TL;DR on the explicit question you are asking is that the aud claim is reserved and not configurable by an end-developer like yourself. It should always be equal to 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit' or else the token will not be valid.

So, I think something is being lost along the way here and it would be great if you could provide some more context around what you are actually trying to do. It may also be good for you to read and fully understand our server auth docs in case you haven't already.

Cheers,

Jacob

On Wed, Sep 28, 2016 at 7:33 PM, Ian <flo...@scheel.eu> wrote:

Hi everyone,

We are new to Firebase Auth but so far it works really well.

Now we want to implement server-side authorization with Google Cloud Endpoints v2 which supports Firebase Authentication. We were told this:

Scopes can be put in audiences, where Endpoints V2 will make sure the incoming JWT token has at least one of the audiences listed in the swagger configuration.

How can we add audiences (I assume he was referring to aud) to a Firebase Auth JWT? Would we be required to sign our own tokens on the server side or can we influence the aud attribute of default Firebase Auth? Ideally, we would put roles and maybe also URL paths inside the JWT that Cloud Endpoints or our backends could use to accept or reject a request to the server.

Please let us know, if you would recommend a different solution for our use case.

Best regards,

Ian

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

[Dan Ciruli]

+mlwei, liujin

Bringing my auth gurus into the mix...

--

DC