Firebase auth to access firestore from java via gRPC

367 views
Skip to first unread message

Hilikus

unread,
Nov 6, 2018, 11:45:05 PM11/6/18
to Firebase Google Group
Hello,

I am trying to access my firestore DB from a java *client* application. In fact, it is an unsupervised device (think IOT) . It seems that the only official java library that uses firestore auth is the Admin SDK but in this case I can't use that since the device is not under my control + I can't have all the devices authenticate using a single service account.
I considered using a service account per device but google limits the number of service accounts to 100, according to documentation + this would use GCP IAM authorization instead of firebase's finer-grained rules.

I found this java firestore client library:
but again, it seems to me that it uses service accounts for authentication. Right?

What I'm planning now for the unsupervised authentication is to use custom tokens and to communicate with firestore via REST using the firebase ID token derived from the custom token.
Based on this doc https://firebase.google.com/docs/firestore/use-rest-api it seems that I can definitely use the firebase ID token to authenticate when using the rest api. However, at the beginning of the doc it says
If you are using a gRPC-supported language, consider using the RPC API rather than the REST API.

So this left me with some questions
1) is there a firestore java client (non-admin) library that exists that can use custom tokens to authenticate to firebase auth?
2) if I use gRPC, will it use IAM authentication or firebase auth? if the latter, can I use custom tokens like all the other client libraries?
3) is there a sample project that uses firestore via gRPC? i couldn't fine one and have no idea how to use it. Especially the authentication part

Thank you

Samuel Stern

unread,
Nov 7, 2018, 11:56:27 AM11/7/18
to fireba...@googlegroups.com
Hi there,

Thanks for the questions and feedback!  You're right, the only official Java SDK we have is the Admin SDK which is not safe to deploy on IoT devices that are not under your own physical security.

On Tue, Nov 6, 2018 at 8:45 PM Hilikus <thehi...@gmail.com> wrote:
Hello,

I am trying to access my firestore DB from a java *client* application. In fact, it is an unsupervised device (think IOT) . It seems that the only official java library that uses firestore auth is the Admin SDK but in this case I can't use that since the device is not under my control + I can't have all the devices authenticate using a single service account.
I considered using a service account per device but google limits the number of service accounts to 100, according to documentation + this would use GCP IAM authorization instead of firebase's finer-grained rules.

I found this java firestore client library:
but again, it seems to me that it uses service accounts for authentication. Right?

What I'm planning now for the unsupervised authentication is to use custom tokens and to communicate with firestore via REST using the firebase ID token derived from the custom token.
Based on this doc https://firebase.google.com/docs/firestore/use-rest-api it seems that I can definitely use the firebase ID token to authenticate when using the rest api. However, at the beginning of the doc it says
If you are using a gRPC-supported language, consider using the RPC API rather than the REST API.

So this left me with some questions
1) is there a firestore java client (non-admin) library that exists that can use custom tokens to authenticate to firebase auth?

No, there's not.  The closest thing would be the Android SDK but that won't run on non-Android Java platforms.
 
2) if I use gRPC, will it use IAM authentication or firebase auth? if the latter, can I use custom tokens like all the other client libraries?

The Android SDK is built on top of the gRPC API.  So if you're willing to put in the effort to learn the right RPC calls, you can definitely use the gRPC API with Firebase Auth tokens and avoid needing dangerous service account credentials. 

The Android SDK is open source and may be of some inspiration to you there.
 
3) is there a sample project that uses firestore via gRPC? i couldn't fine one and have no idea how to use it. Especially the authentication part.

We don't have a sample like that right now because we really want to encourage people to use Firestore through our existing SDKs.  That said if you have specific questions we're happy to try and answer them here!

Also I'm not sure what kind of device you have, but you might want to try using the Web SDK (not the Node Admin SDK) through Node.js?  I think that would be the lowest effort way to get Firestore working with end-user credentials on an IoT device.

- Sam
 

Thank you

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/60a5a6be-51be-4a20-9532-5af2e6f9642e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hilikus

unread,
Nov 17, 2018, 5:52:12 PM11/17/18
to Firebase Google Group
Excellent. I will take a look at the android SDK

Thank you for the info Sam
Reply all
Reply to author
Forward
0 new messages