Use JSON Web Token and Firestore support for Bearer token

Question

I want to have authentication and authorization support in Firestore while using a node.js app that talks to Firestore. Users interact via a URL (http.get with embedded tokens) and that interacts with a node.js app. The app accepts some input from user, then talks to firestore. The access token needed for the client to perform secure activities are all embedded in the GET url (the id + access token).

I have a flow here, and want to validate if this flow is right or I am missing something? I am unable to find the most definite document that can guide me on the steps to follow.

First off I generate JWT token part before generating the GET url: The function used to generate the JWT token is as follows: // generate JWT token

function getJWT() {
  var token = jwt.sign({
    exp: Math.floor(Date.now() / 1000) + (60 * 60) * constants.JWT_TOKEN_VALIDITY_HOURS,
    admin: '​XXXXXXX'
  }, constants.JWT_SECRET_TOKEN);
  return token;
}

Bearer Tokens: ​I have heard in many forums that it is possible for me to send this JWT web token as a "Bearer token" in the authorisation header. It means firestore magically does all the authorization for me. Anything else I should be doing?

1) I believe I need to sign in using this custom JSON web token, and obtain an ID token. is that correct? Sign in from a Firebase Client SDK Use the Firebase Auth REST API to exchange the custom token to an ID token. 2) Then I need pass this ID token (not the JSON web token) to the Cloud Firestore endpoints when I am making a request for db access as an Authorization header set to Bearer {YOUR_TOKEN}.. Then you can access the Firestore REST API with the resulting ID token: https://firebase.google.com/docs/firestore/use-rest-api#working_with_firebase_id_tokens

Imagine I embed into the header the bearer token also...using the JSON access token or the ID token I get from firestore

return this.http
.get(${OUR URL to app}, {
headers: new HttpHeaders().set('Authorization', Bearer ${JSON Web accessToken or ID Token})
})​

​User clicks on the URL that has this access token. They agree to terms and conditions and then I re-direct them to a cloud function that does some processing.​ This JSON Web token is passed along. I verify the JWT token also​ for authentication purpose using this code.​

function verifyToken(token) {
  try {
    var decoded = jwt.verify(token, constants.JWT_SECRET_TOKEN);
    var admin = decoded.admin;
    if (admin == "​XXXXXXXXX") {
      return true;
    }
    return false;
  } catch (err) {
    console.log(err);
    return false;
  }
}

​any samples related to this will be helpful.​

related links I used https://firebase.google.com/docs/firestore/use-rest-api#working_with_firebase_id_tokens

Firestore Custom Tokens

https://auth0.com/blog/how-to-authenticate-firebase-and-angular-with-auth0-part-1/

finally Protocol specification for https.onCall in https://firebase.google.com/docs/functions/callable-reference

Optional: Authorization: Bearer A Firebase Authentication user ID token for the logged-in user making the request. The backend automatically verifies this token and makes it available in the handler's context. If the token is not valid, the request is rejected.

Answer 1

this is the official response I got from Google (but again works only if the user has an authentication request -- mean a valid firebase user I think), but what I want to know is using the Json web token itself can I achieve something like this.

Just to clarify, you'll need either a Firebase ID token or a Google Identity OAuth 2.0 token to be passed on to the Cloud Firestore endpoints as an Authorization header set to Bearer {YOUR_TOKEN}.

You may refer on the following links for more information on this:

1. REST API Firestore authentication with ID Token
2. https://firebase.google.com/docs/firestore/use-rest-api#authentication_and_authorization

Also, we don't have any samples related to this, but there's an internal request to improve our REST documentation. I won't be able to share you any details or timelines as to when it could materialize, however, you may keep an eye out on our release notes or Firebase blog for any updates we might have.

I am hopeful in stackoverflow I might get more samples related to this. But for now this is all what I got.