Google Cloud Identity as back office user (SSO)

71 views
Skip to first unread message

jittuu

unread,
Mar 17, 2018, 11:32:15 AM3/17/18
to Firebase Google Group
Hi all,

I would like to ask for some guidance before I deep dive into it.
 
I'm developing e-commerce app using firebase. It has
  1. Public facing modile app (users will sign up/sign in using facebook login)
  2. Back office web app (React + App Engine as API). (back office users will login via google cloud identity - google account)
Regarding back office, I'm thinking to generate custom token with additionalClaims to differentiate users in firestore security rules. The confusing part is how could I integrate with google cloud identity and firebase custom authentication?

I was thinking to
  1. use Identity-aware proxy in my appengine API
  2. use one-tap sign in so that it can talk to API as authenticated user.

Does it make sense or I'm doing something completely off the target? 


Thanks,
Soe Moe

Kato Richardson

unread,
Mar 19, 2018, 1:16:28 PM3/19/18
to Firebase Google Group
This makes sense and might be the right approach. 

One thing to keep in mind is that if you are using an identity provider supported by Firebase (i.e. Google OAuth) you don't necessarily need to set up your own auth schema and use custom signed JWT tokens (i.e. custom authentication) to mark certain people as admins.  In that case, you could just use custom claims, which allow you to add meta info onto the user's auth credentials when they sign in from the Firebase client SDKs.

If you're just using the admin flag to control access to data, another alternative (again assuming you are already using a Firebase compatible provider) would be to just store data in your Firebase or Realtime Database marking which users are admins. You can reference database data as part of security rules so this is also a fine way to manage role-based access.

Also, if you're already working with App Engine, you might consider Functions for handling some of your backend ops. It can slim up your stack and take advantage of some of the Firebase integration points.

☼, Kato

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/12b094f1-a679-4d7f-a3e4-afdc72262512%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

Kato Richardson | Developer Programs Eng | kato...@google.com | 775-235-8398

Reply all
Reply to author
Forward
0 new messages