Implement support for FirebaseAuth

[viniciusccarvalho]

Firebase has released an admin SDK that makes it very easy to integrate with its fantastic Authentication service.

The fact that we can use firebase auth to manage different oauth providers, password reset, password encryption, user validation and many other cool stuff is what make it a very interesting alternative to implement our own OAuth2 server.

I'd like to propose and submit a PR to add a firebase-auth module (name TBD) that would enable a Spring Security TokenFilter to be registered after users enable it via @EnableFirebaseAuth.

Firebase uses JWT tokens, one could argue we can just use simple JWT validation, but as per their documentation: https://firebase.google.com/docs/auth/admin/verify-id-tokens, using plain JWT validation requires the library to be responsible to validate the signature of the tokens, using the client library is a much simpler approach.

I see this as a great improvement on the spring cloud gcp as users will be able to secure endpoints that are authenticated via firebase auth.

@meltsufin and folks what do you think?

[meltsufin]

@viniciusccarvalho Thank you for bringing it to our attention. This sounds great! Note that we already have Spring Security support for IAP. I haven't looked at Firebase Auth enough to know what kind of usecases it addresses vs IAP.

cc/ @elefeint who worked on IAP support.
cc/ @dmitry-s who worked on Spring Data Firestore.

[meltsufin]

Related to: #1996.

[elefeint]

@viniciusccarvalho What would the application flow look like, something like this?

---------------                                               ------------
| Client      | ------------- acquire JWT token ------------> | Firebase |
| (mobile/web)|                                               |          |
---------------                                               ------------

---------------                   -------------------                     -------------
| Client      | -- present JWT -> | Spring Boot app | --- authenticate -> | Other GCP |
| (mobile/web)|                   |                 |                     | services  |
---------------                   -------------------                     -------------

Spring Security OAuth starters, both server and client, come with a JWT token parsing library (Nimbus), which we used for IAP authentication. But by the time you pull in the OAuth server dependency, you might not even need the admin SDK.

[viniciusccarvalho]

@elefeint That is the flow indeed. And the JWT parsing is what my point has been on the comment of verifying tokens. You can use plain JWT libraries to validate the token but you need to acquire the public key to check the signature. I don't think the out of box Spring Security JWT implementation would be able to do that. So in order to enable FirebaseAuth a custom TokenFilter would need to be implemented.

If we use the admin sdk, it boils down to this:

FirebaseToken decodedToken = FirebaseAuth.getInstance().verifyIdToken(idToken);

And then we need to just adapt that to a UserDetails instance so that it integrates within Spring Security auth flow.

[elefeint]

Nimbus does check the registry at token parsing stage. In IAP module, the registry is configured to https://www.gstatic.com/iap/verify/public_key-jwk.

I have no issue with using the admin SDK, though, since it's an implementation detail and can be changed easily, so you can use whichever method makes the most sense for your implementation.

[viniciusccarvalho]

Hi @elefeint I decided to move away from using the admin sdk. However the firebase token validation does not seem to use the jwks format. Instead the public keys need to be retrieved from here: https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com.

Working on it now, should have a PR by early next week.