'How should my own server verify a web client signed in with firebase? [duplicate]

Web client signs in successfully directly with firebase. Now it wants to talk to my own nodejs (non-firebase) server. How does my server verify the web-client is really signed in with firebase? Note: my server doesn't manage any user account passwords.

https://firebase.google.com/docs/auth/admin/custom-claims Seems to use this flow:

For simplicity, let me call my good web client Bob.

Step 1: Bob needs to send password + email to my own (non-firebase) server. Now my server knows Bob is Bob, and gives Bob client-side a token "bob-token"

Step 2: Bob on client-side calls firebase firebaseTokenFromFirebase = firebaseFunction.signInWithToken("bob-token")

Step 3: Bob sends firebaseToken to my own server

Step 4: On my own server, I can make a verification request directly to firebase bobReallySignedIntoFirebase = firebaseAdmin.verify(firebaseTokenFromFirebase). And if ok, now my server knows Bob really signed into Firebase.

But question: My server doesn't manage passwords at all. So my server cannot verify "Bob is Bob" in Step 1. Is there a way for my server to only rely on Firebase?

Ideally, Bob signs in directly with firebase, and receives an asymmetrically signed JWT (containing Bob's basic info) that can be independently verified by my own server (my server only needs the public key; firebase produces the JWT with the private key).

firebase-authenticationfirebase-admin


Solution 1:[1]

There is no way to sign a specific user in to Firebase from the Admin SDKs, as the Admin SDK doesn't have the concept of a current user.

The idiomatic approach is to sign in your users in their client-side code with a Firebase SDK, and then pass the ID token to your server when you need to establish identity/authority. This is what most Firebase SDKs and services also do under the hood.

If you want to sign your users in on your server, you'll have to call the Firebase Authentication REST API.

Also see:

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Frank van Puffelen

Related Questions

Undefined class 'AuthResult' in Flutter

React - Uncaught TypeError: Class constructor Firebase cannot be invoked without 'new'

Flutter Firebase Auth: A network error (such as timeout, interrupted connection or unreachable host) has occurred

Firebase SMS multifactor authentication, error.resolver is undefined

Firebase JWT token expires in 60 minutes

Gradle can not find firebase auth ktx library in android

The argument type 'Future<UserCredential>' can't be assigned to the parameter type 'dynamic Function()'

Firebase phone authentication is not working on Android real device

Firebase 3 - We have blocked all requests from this device due to unusual activity

Firebase 'requires-recent-login'

signout from firebase using python

list of all auth/ errors for firebase web API

Firebase Authentication iOS 12 invalid token

How do I implement authentication and authorization for my employees in asp.net web app?

How to delete unverified e-mail addresses in Firebase Authentication/Flutter?