Which information is included in JWT when using custom auth with custom claims and connected social logins?
32 views
Skip to first unread message
Ian
Oct 3, 2016, 7:15:24 PM10/3/16
to Firebase Google Group
Hi everyone!
We are new to Firebase Auth and wanted to use it mainly because of the easy integration with social login providers which are extremely user-friendly and convenient. However, we also need to be able to add custom claims to the JWT to use it for authentication and authorization of requests from the web app against our backend servers. If we understand correctly, custom claims like "userType":"admin" are only supported in custom auth.
So if we use custom auth with our custom claims, and let users add a Google or Github account, for example, what will the JWT look like that our web application send to our server? Will it contain only the data/attributes of the auth provider used for the most recent login, e.g. Google, or will the auth data of all associated accounts be included in the token? If the latter would be the case, we might only have to use our custom login once, then connect a social login and we would still be able to use custom claims without reducing user convenience.
Best regards,
Ian
Kato Richardson
Oct 4, 2016, 12:37:28 PM10/4/16
to Firebase Google Group
Hi Ian,
See this thread. It explains some of the alternatives to using custom claims (use the Database). If you want to use custom claims, you'll have to manage the auth process and sign the tokens yourself.
☼, Kato
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/a65c8171-dc26-427f-be63-3065a7644eb9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Ian
Oct 4, 2016, 1:36:46 PM10/4/16
to Firebase Google Group
Hi Kato,
Thank you! We will definitely look into the database solution.
However, we have to sign our own tokens anyway as you suggested in this thread.
So let's say a new user signs in initially via username/password (custom auth with custom admin claim) and links her Google account. I guess that a JWT sent from the frontend web application to a backend server API would contain either the auth data (identity etc.) of custom auth including the custom claim or the auth data of her Google account or both.
If she returns to our service a few days later from a new device and logs in using her Google account, will the auth data of both linked accounts be included in the JWT? If this would be the case, our custom claim should be available so we could use it. We might have to test this scenario, but if you know the answer you could save us lots of time, of course. ;-)
Cheers,
Ian
On Tuesday, October 4, 2016 at 6:37:28 PM UTC+2, Kato Richardson wrote:
Hi Ian,See this thread. It explains some of the alternatives to using custom claims (use the Database). If you want to use custom claims, you'll have to manage the auth process and sign the tokens yourself.☼, Kato
On Mon, Oct 3, 2016 at 4:15 PM, Ian <flo...@scheel.eu> wrote:
Hi everyone!We are new to Firebase Auth and wanted to use it mainly because of the easy integration with social login providers which are extremely user-friendly and convenient. However, we also need to be able to add custom claims to the JWT to use it for authentication and authorization of requests from the web app against our backend servers. If we understand correctly, custom claims like "userType":"admin" are only supported in custom auth.So if we use custom auth with our custom claims, and let users add a Google or Github account, for example, what will the JWT look like that our web application send to our server? Will it contain only the data/attributes of the auth provider used for the most recent login, e.g. Google, or will the auth data of all associated accounts be included in the token? If the latter would be the case, we might only have to use our custom login once, then connect a social login and we would still be able to use custom claims without reducing user convenience.Best regards,Ian
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/a65c8171-dc26-427f-be63-3065a7644eb9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jacob Wenger
Oct 4, 2016, 1:53:49 PM10/4/16
to fireba...@googlegroups.com
Hey Ian,
The custom claims will be included in the JWT if and only if you sign in via a custom token. If you link the account to a Google account and then later sign in with Google, the resulting JWT will not include the custom claims. What you can do (although roundabout) is sign in on the client via Google, send the resulting JWT to your backend, decode it, create a new custom token with the claims you want, send that back to your client, and sign in again with that.
Cheers,
Jacob
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/c1d22447-0fd5-41f7-89c7-372aa1857fbd%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages