Restrict Google Auth to specific users

[Samer Abraham]

Hello

I saw this earlier thread:
https://groups.google.com/forum/m/#!topic/firebase-talk/E8SvdX79BXM

The jist is allowing authentication using google auth but restricting the set of users to specific emails. Does anyone know if that's been implemented? The thread implies it was in the works.

Thanks
Sam

[Ian Barber]

https://firebase.google.com/docs/reference/security/database/#authtoken has an example of restricting to a certain domain. 

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/42550ab3-8a9e-4cc0-ba15-0312df07b4fc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Samer Abraham]

Thanks however I'm not speaking about domains.  I'm speaking about different emails.  For example a...@gmail.com, b...@gmail.com in a whitelist so c...@gmail.com is denied.

On Wednesday, August 16, 2017 at 12:21:35 PM UTC-4, Ian Barber wrote:

https://firebase.google.com/docs/reference/security/database/#authtoken has an example of restricting to a certain domain. 

On Mon, Aug 14, 2017 at 5:53 PM, Samer Abraham <ssab...@gmail.com> wrote:

Hello

I saw this earlier thread:
https://groups.google.com/forum/m/#!topic/firebase-talk/E8SvdX79BXM

The jist is allowing authentication using google auth but restricting the set of users to specific emails. Does anyone know if that's been implemented? The thread implies it was in the works.

Thanks
Sam

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

[Paul McCann]

I'm also interested in this functionality.

I'm building an app for our club, and I want to provide club members the ability to log in, but no one else. This would mean not allowing registrations, or login unless they were already in the database.

I would be interested to know how this can be achieved with FireBase.

thnkx

[Andreas B]

Does this app even need to be publicly available via (assuming Android) the Play Store, if it is meant for only a limited number of people? If not, using the Beta release functionality, where you allow only members of a Google Group or Google+ Community to install your app might be an alternative.

If not, and this really needs to be a Google Sign-In in a publicly available app, following (https://firebase.google.com/docs/auth/android/google-signin) and doing the following in onActivityResult(...) might be an option:

// Google Sign In was successful, authenticate with Firebase

GoogleSignInAccount account = result.getSignInAccount();

String email = account.getEmail();

if (isWhitelisted(email) {

    firebaseAuthWithGoogle(account);

} else {

    //TODO alert the user or fail silently, depending on what makes most sense for you

}

That way, you will end up with a new user in your Firebase project only if the Google account used to sign-in was whitelisted. Everything else could follow from there, for example by checking mAuth.getCurrentUser()!=null. Depending on what your app has to offer to those users that are not signed in, they might not even need to know that they are not whitelisted.

[Samer Abraham]

The problem is that's not securing the database.  But to answer the question of does it need to be public.  Assuming Andriod and Play Store would be incorrect.  Either way firebase is available publicly by design so that's just security by obscurity.  I want access to the data restricted.

[Andreas B]

"Securing the database" would then happen via a read rule: https://firebase.google.com/docs/reference/security/database/ - not sure which part you think is "security by obscurity".

[Samer Abraham]

The check on the sign in on the app side is clearly not security. You're just blocking one client app.

I know about these documents but they do not outline my ask. Thanks for the help though.

[Ian Barber]

Checking on client is good, as most errors will be accidents, not malicious. To ensure security you could have a list of uids/emails of allowed users in the database, and have that locked down (maybe only admin read/writeable), then use a rule on your data like:

"data": {

      ".read": "root.child('allowed_users').child(auth.uid).val() == true"

}

Then have something like /allowed_users/<uid> entries for each user in the group. 

On Wed, Aug 23, 2017 at 4:43 AM, Samer Abraham <ssab...@gmail.com> wrote:

The check on the sign in on the app side is clearly not security. You're just blocking one client app.

I know about these documents but they do not outline my ask. Thanks for the help though.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/f9cbcc12-fe00-4778-aa29-26a1e2a4ff04%40googlegroups.com.

[Tyler Rockwood]

If you want to use the email address for the account instead of the uid, you can do something like: 

"data": {

      ".read": "auth.token.sign_in_provider == "google.com" && root.child('allowed_users').child(auth.token.email).val() == true"

}

This would require you to have in your database:

{

  "allowed_users": {

     "us...@gmail.com": true,

     // more users...

  }

}

This is documented here: https://firebase.google.com/docs/reference/security/database/#authtoken

On Thursday, August 24, 2017 at 12:57:24 PM UTC-7, Ian Barber wrote:

Checking on client is good, as most errors will be accidents, not malicious. To ensure security you could have a list of uids/emails of allowed users in the database, and have that locked down (maybe only admin read/writeable), then use a rule on your data like:

"data": {

      ".read": "root.child('allowed_users').child(auth.uid).val() == true"

}

Then have something like /allowed_users/<uid> entries for each user in the group. 

On Wed, Aug 23, 2017 at 4:43 AM, Samer Abraham <ssab...@gmail.com> wrote:

The check on the sign in on the app side is clearly not security. You're just blocking one client app.

I know about these documents but they do not outline my ask. Thanks for the help though.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

[Vivek Saxena]

Hi Samer,

I also wanted to implement the same and this is how I did it:

1. Use firebase cloud function to create new users: The app does not directly creates new user, rather calls the cloud function endpoint to create new user. The cloud function first checks if the user is in the white-listed emails (stored in firebase database) and if so creates a new user using Admin library (https://firebase.google.com/docs/auth/admin/manage-users#create_a_user). This way you will be able to move the user creation logic from client side to the secured cloud function.
2. Use firebase sign in using email and password on the client side.

Thanks

Vivek Saxena