Firebase authentication with custom claims

835 views
Skip to first unread message

Łukasz M.

unread,
Aug 18, 2016, 10:31:35 AM8/18/16
to Firebase Google Group
We are investigating the possibility to use Firebase for Single Sign On across our platform.

With this, we are trying to leverage the identity providers(FB, Google, Twitter) but also our own internal user and password auth which we might store in our datastore based - which we would use authenticate and give the custom token generated by firebase SDK.


The crux here is that we wish to add custom claims to token which come from the external providers(FB, Google, Twitter).
I did some research and the only way I see is doing it to create the custom token just after verifying the external one.

This flow seems to be working, as the moment we create the custom token and send it back to the Client SDK in Web/Mobile, we can call signInWithCustom and the resulting token from

authStateChange((user) => user.getToken()) yields a token which we can verify back on the server, and contains our claims.


Question is if there is a simpler way to do so?

Kato Richardson

unread,
Aug 18, 2016, 1:01:58 PM8/18/16
to Firebase Google Group
Hi Łukasz!

Looks like you've got it. If you want to modify the claims in the token, you'll need to generate your own and therefore you'll need to use the custom token workflow.  It doesn't really matter how you conduct the authentication before this, and if you want it to be against third party providers, your approach here looks sound.

Note that, depending on the specifics of your use case, you might be able to store any meta data you might add onto the token in the Realtime Database instead, and just fetch that mete data by uid, bypassing the need for a complex auth schema.

☼, Kato 

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/c00544e2-6216-46d8-9185-3fbcdbbcb8af%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

Kato Richardson | Developer Programs Eng | kato...@google.com | 775-235-8398

Kato Richardson

unread,
Aug 18, 2016, 1:03:43 PM8/18/16
to Firebase Google Group
Also, if the goal is simply finding a way to verify access in different systems, you can use the Realtime Database for this as well (you can assume that if a user writes to a path that requires authentication, based on the security rules, they are authenticated). Or you can use the verifyTokenId() approach and just pass around the default Firebase creds.

Again, this would be used together with storing any meta info you need (i.e. claims) in the Database.

☼, Kato
Reply all
Reply to author
Forward
0 new messages