Comments (16)
Great news - I will have a chance to test this out this week. Will update this feed accordingly when ready.
from external-auth-server.
Thanks for the diagram and info! Happy to see what can be done to facilitate the workflow.
I'm pretty detailed oriented so stick with for a few questions :) especially not being familiar with firebase:
- Are the users/user agents here typically system-to-system or are these end-users navigating to a service?
- Does firebase act as an oauth provider and/or openid connect?
- Does firebase really need to validate the token (ie: stateful session type stuff) or are simple assertion on the token data/claims sufficient?
- Are these typically single-page-apps?
- Does firebase have an endpoint for submitting the token for validation? Can you send me a link to the documentation if so to review?
I'm sure I'll have follow-ups based on the answers but that should be enough to get me started..
from external-auth-server.
Thanks for the quick reply. Happy to dig deep into the details with you. Let me preface this by saying, this auth flow is not yet in production and flexible if something simply doesn't make sense. Here's the answers to your questions:
-
Are these typically single-page-apps?
Yes, this particular flow is used for a public-facing React SPA. In particular, this flow would be used when a user wants to access their "My Account" page and requests are made to backend/user
protected endpoints. -
Are the users/user agents here typically system-to-system or are these end-users navigating to a service?
I think the above answer might explain this, but let me know if not. Essentially, this is a SPA talking to our RESTful backend with some protected endpoints. -
Does firebase act as an oauth provider and/or openid connect?
According to their documentation, "[Firebase] leverages industry standards like OAuth 2.0 and OpenID Connect, so it can be easily integrated with your custom backend." We are using their JavaScript library on the front-end, giving users the ability to log in with Facebook, Google or Email/Password. Each method has its own Firebase auth provider that returns an idToken on successful authentication." -
Does firebase really need to validate the token (ie: stateful session type stuff) or are simple assertion on the token data/claims sufficient?
Short answer - I'm not sure. Given the rest of the details I've provided, I would be happy to take your expertise here. The backend service needs to ultimately retrieve user account details from Firebase at some point in this flow. Right now, that's happening after the token validation. If helpful, I can do a diagram for the current process - let me know. -
Does firebase have an endpoint for submitting the token for validation? Can you send me a link to the documentation if so to review?
Currently we are verifying tokens in individual microservices using the Firebase Admin SDK. Specifically, we are using the verifyIdToken method. A similar endpoint exists in the Firebase REST API, which would return a 400 status with an error if invalid and a 200 status with account info if valid.
from external-auth-server.
OK, perfect thanks for the responses:
- So you manage in the interface your own login sequence direct in your app and then make the appropriate ajax requests or whatever to firebase to retrieve the token(s)?
- They never land on a firebase URL and get redirected correct?
- For the verifyIdToken method are you using the method signature with the boolean second parameter?
- Are you taking care of refreshing the token(s) as appropriate direct to firebase?
from external-auth-server.
-
So you manage in the interface your own login sequence direct in your app and then make the appropriate ajax requests or whatever to firebase to retrieve the token(s)?
The Firebase JS library handles all this for us. Here's an example for a Google login. Essentially, it will pop up the Google login form and returns the result (see step 5 in example). -
They never land on a firebase URL and get redirected correct?
If they choose Google or Facebook, they would get the respective login form as a popup. An excellent example of a site using this would be: https://app.termly.io/user/login -
For the verifyIdToken method are you using the method signature with the boolean second parameter?
Yes - this ensures the token was not revoked. -
Are you taking care of refreshing the token(s) as appropriate direct to firebase?
Yes, although again the Firebase JS library handles this for us. The getIdToken method will automatically refresh, as necessary.
from external-auth-server.
OK, getting close here:
- You presumably cannot or do not want to validate the token at the
service
layer? - Do you intend on forwarding the
X-Auth-Token
down to theservice(s)
for some other reason? Or you want them completely out of the picture by usingeas
? - Is the
X-Auth-Token
theidToken
or is it anaccessToken
? Do you intend to send anaccessToken
down toservice(s)
?
from external-auth-server.
-
You presumably cannot or do not want to validate the token at the service layer?
We can, but would prefer to offload this functionality to the edge so it can be done in one place vs. at each individual service. -
Do you intend on forwarding the X-Auth-Token down to the service(s) for some other reason? Or you want them completely out of the picture by using eas?
I think we still need the token, as it contains theuser_id
we'll need to look up user information in the database. On the server-side, I'm intending on using the Spring PreAuthenticatedAuthenticationProvider, which expects a token, but also expects it to be preauthorized. I'm unclear on what should ideally happen aftereas
authenticates the token. Should it pass it to the service as is? Any idea on the best practice here would be helpful. -
Is the X-Auth-Token the idToken or is it an accessToken? Do you intend to send an accessToken down to service(s)?
TheX-Auth-Token
is the idToken that returns from Firebase after a successful login. It has basic user information embedded in the JWT. See below for an example of a decoded idToken. The way Firebase works, I don't believe I need an accessToken.
{
"iss": "https://securetoken.google.com/firebase-project-name",
"aud": "firebase-project-name",
"auth_time": 1559756352,
"user_id": "somelonguserid",
"sub": "somesubhere",
"iat": 1559756352,
"exp": 1559759952,
"email": "[email protected]",
"email_verified": true,
"firebase": {
"identities": {
"email": [
"[email protected]"
]
},
"sign_in_provider": "password"
}
}
from external-auth-server.
Very good. Reviewing the docs appears to show that verifying the idToken via the REST api is not possible so I'll need to either look at what the SDKs are doing, or pull in the node sdk and make a specific plugin for firebase (which I'm completely open to). If you see something otherwise let me know, otherwise I'll start digging.
The existing jwt
plugin handles everything the sdk does except the whole stateful revoking situation at the provider.
No best practice on what to do with the token after authentication. The reverse proxy will likely pass it down by default. We do have code that allows you to set/add headers during the auth process...for example pull the email
claim out of the token and set it as X-Userinfo-Email
or whatever. May or may not be helpful for your services.
from external-auth-server.
So I read through the code and the revoked logic is pretty simple. It checks if the auth_time
of the idToken
is before (failure scenario) the validSince
property of the user
. It is possible to get the userinfo using: https://firebase.google.com/docs/reference/rest/auth#section-get-account-info
I'm inclined to just pull in the code, however, a benefit of doing it 'manually' would be to allow deeper custom assertions based on the userinfo above and beyond the revocation logic (for example emailVerified
must be true
, that kind of thing). The assertion engine is pretty strong and this seems like a prime use-case to put it to work.
Thoughts?
from external-auth-server.
When you say "pull in the code", do you mean using the Firebase NodeJS SDK in eas
? And when you say "doing it manually", do you mean applying the same logic but in your JWT plugin? Just want to make sure I'm following.
from external-auth-server.
Yeah sorry that wasn't very clear. Either way it will be a new plugin, the question is whether to use the nodejs sdk or just use standard jwt validation along with some custom http requests/etc with custom validation logic (infrastructure is already available for that).
Either way it's a simple integration and could be knocked out with very little code.
I'm leaning toward the custom route at this point simply because it seems more straight forward and will be far more powerful in the long haul.
from external-auth-server.
That sounds good to me. Seems logical to tackle this in a more generic fashion if it can be leveraged beyond Firebase. Let me know if there's anything we can do to help you.
from external-auth-server.
Well, the plugin will be specific to firebase which is fine, just will be more powerful to use the raw data rather than the sdk and will facilitate more common configuration options that are in the others.
I'm currently knocking out some header work and then looking at server-side config_tokens, after that I'll get an API key for firebase and add this to the 0.2.0 release.
from external-auth-server.
OK, so I finished up my other items and then spent an hour and knocked this out. I'll be committing shortly and getting it merged into master. It can optionally check revoked status, and any other arbitrary datapoints in the id_token
and userinfo
datasets (for example I tested to only allow a specific localId
, but you could go bonkers with it).
I'll keep you posted about merge status and then once it's merged help you step through setup/configuration.
from external-auth-server.
I just landed all my work including firebase_jwt
auth plugin. Comment here when you're ready to give it a whirl and I can help you get going..
from external-auth-server.
Still want help with this?
from external-auth-server.
Related Issues (20)
- eas fails to handle x-userinfo with non-ascii characters HOT 32
- Bump jsonwebtoken from 8.5.0+ to 9.0.0+ to patch several moderate security vulnerabilities HOT 5
- GitHub Oauth Permission Write? HOT 13
- Traefik + EAS + KeyCloak HOT 10
- [BUG] uncaughtException: Cannot read properties of undefined (reading 'match') HOT 37
- Oauth2 support for Azure provider HOT 1
- Semi colons are replaced by ampersands after logout HOT 10
- Crash due to ERR_UNHANDLED_REJECTION HOT 2
- Question about cookie lifetime? HOT 2
- custom_service_headers not being injected HOT 8
- /metrics end point still available to access after set disabled HOT 9
- Crash at startup due to "unable to determine boolean value" HOT 1
- Using variable in redirect_uri HOT 6
- Environment variables HOT 12
- using yaml for token config HOT 27
- Fetch config_token like a Kubernetes Secret from Vault HOT 1
- Architectural question: does Traefik receive the token issued by eas? HOT 2
- No OIDC frontchannel logout when session_state is missing in the ID token HOT 5
- Limit number of concurrent OIDC sessions per user HOT 11
- Image vulnerabilities HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from external-auth-server.