google-firebase-auth-proxy
This project serves the purpose that the firebase google authentication provider doesn't provide stuff like email-adress etc. which restricts the possibilities to formulate security-rules.
For this to work you have to enable "custom" login in firebase.
https://www.firebase.com/docs/security/api/rule/auth.html
https://developers.google.com/identity/sign-in/web/reference
Workflow
- Wepapp logs in at google: https://developers.google.com/identity/sign-in/web/build-button
- Webapp sends the token from the authentication-response (success.getAuthResponse().access_token) to the auth-proxy https://developers.google.com/identity/sign-in/web/reference
- The auth-proxy validates the token against the google service to ensure ist validity. It is important to check the audience against the own clientid (https://developers.google.com/identity/protocols/OAuth2UserAgent). additional it checks the hd-field (domain of the registered user) https://developers.google.com/identity/sign-in/web/backend-auth
- The auth-proxy creates a firebase-token using this method https://www.firebase.com/docs/web/guide/login/custom.html and sends it to the webapp
- the webapp validates itself against firebase with the jwt-token
Usage
The google-firebase-auth-proxy-module provides a single function which takes a config-object as first parameter and returns an express app-instance:
var config = client_id: 'xxxxxxxxxxxxxxxx.apps.googleusercontent.com' //client-id of the webapp-project hd: 'test.de' //optional, validates whether the logged in user has a special domain firebase_secrect: 'abc123' //firebase-secret, needed to generate the token for the webapp;var authProxy = config; //start serverauthProxy; //the auth-proxy is now running on port 8080
The client-side usage is documented in test/index.html. You have to perform an ordinary google-login using the google signin-api:
In the onSuccess
callback you have to obtain the id-token and send it to the auth-proxy via AJAX. The server has CORS activated, it doesn't matter where it's hosted. The auth-proxy checks whether the token is valid and is issued for the correct app and hd. If this is true, it creates a new firebase-token and returns it to the client. The format of the answer is the following json-object:
valid: true token: 'issuedfirebasetoken'
{ console; $;}
You can now use data.token
to validate against the firebase-service. The token contains the following values (you can use them in the auth
-object in firebase rules, see https://www.firebase.com/docs/security/api/rule/auth.html):
uid: 'google-id of the user' email: 'email-adress of the user' given_name: 'firstname of the user' family_name: 'lastname of the user'