-
Notifications
You must be signed in to change notification settings - Fork 695
Implement support for FirebaseAuth #2111
Comments
@viniciusccarvalho Thank you for bringing it to our attention. This sounds great! Note that we already have Spring Security support for IAP. I haven't looked at Firebase Auth enough to know what kind of usecases it addresses vs IAP. cc/ @elefeint who worked on IAP support. |
Related to: #1996. |
@viniciusccarvalho What would the application flow look like, something like this?
Spring Security OAuth starters, both server and client, come with a JWT token parsing library (Nimbus), which we used for IAP authentication. But by the time you pull in the OAuth server dependency, you might not even need the admin SDK. |
@elefeint That is the flow indeed. And the JWT parsing is what my point has been on the comment of verifying tokens. You can use plain JWT libraries to validate the token but you need to acquire the public key to check the signature. I don't think the out of box Spring Security JWT implementation would be able to do that. So in order to enable FirebaseAuth a custom TokenFilter would need to be implemented. If we use the admin sdk, it boils down to this:
And then we need to just adapt that to a |
Nimbus does check the registry at token parsing stage. In IAP module, the registry is configured to I have no issue with using the admin SDK, though, since it's an implementation detail and can be changed easily, so you can use whichever method makes the most sense for your implementation. |
Hi @elefeint I decided to move away from using the admin sdk. However the firebase token validation does not seem to use the jwks format. Instead the public keys need to be retrieved from here: https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com. Working on it now, should have a PR by early next week. |
Firebase has released an admin SDK that makes it very easy to integrate with its fantastic Authentication service.
The fact that we can use firebase auth to manage different oauth providers, password reset, password encryption, user validation and many other cool stuff is what make it a very interesting alternative to implement our own OAuth2 server.
I'd like to propose and submit a PR to add a firebase-auth module (name TBD) that would enable a Spring Security TokenFilter to be registered after users enable it via
@EnableFirebaseAuth
.Firebase uses JWT tokens, one could argue we can just use simple JWT validation, but as per their documentation: https://firebase.google.com/docs/auth/admin/verify-id-tokens, using plain JWT validation requires the library to be responsible to validate the signature of the tokens, using the client library is a much simpler approach.
I see this as a great improvement on the spring cloud gcp as users will be able to secure endpoints that are authenticated via firebase auth.
@meltsufin and folks what do you think?
The text was updated successfully, but these errors were encountered: