skip to Main Content

I have fully integrated Firebase Auth in my Android App, now I want the client to interact with my backend (rails) using a unique Token. my question is this how it’s done :

  1. User is logged-in, using for example Facebook Auth,
  2. Send the Firebase Token to backend and verify it
  3. Respond to the client with a unique Token for the upcoming Api requests (get users data, save user data …)

Thank you

3

Answers


  1. You do not need step #3. Firebase Auth Android SDK getToken() API returns a short-lived (one hour) Firebase Auth ID Token for the login user, and automatically returns a new token if the previous one expires.

    The Firebase token verification doc describes how to get a Firebase token on client app and verify the token on server side.

    Login or Signup to reply.
  2. Taking JinLiu’s answer forward , once you get the Token in your android code , send it to your backend say : https://www.yourbackend.com?authenticate?token=asdad7687h
    Note that the token generated by Firebase is a JWT token , we need to first verify its authenticity and decode it in the backend. For this , you need to add these two gems to your gemfile
    gem ‘jwt’ , ‘1.5.6’
    gem ‘rest-client’ , ‘2.0.1’
    With that done , you need to add these two (private) function in your controller:

    def get_set_user
        begin
            token = params[:token]
            if token.nil?
              @user = nil
              return
            end
            firebase_id = verify_user(token)[0]["user_id"]
            if User.where(:firebase_id => firebase_id).exists?
              @user = User.where(:firebase_id => firebase_id).first
            else
              @user = User.new(:firebase_id => firebase_id)
              @user.save
              @user
            end
        rescue
            @user = nil
        end
    end
    
    def verify_user(token)
      certificate_url = "https://www.googleapis.com/robot/v1/metadata/x509/[email protected]"
      myresponse = RestClient.get(certificate_url).body
      certificates  = JSON.parse myresponse.gsub('=>', ':')
      myjson =""
      certificates.each do|key , value|
        begin
          x509 = OpenSSL::X509::Certificate.new(value)
          iss = 'https://securetoken.google.com/<yourdomain>'
          aud = 'yourdomain' # change this 
          myjson = JWT.decode(token, x509.public_key, true, 
          {               algorithm: "RS256", verify_iat: true ,
                          iss: iss , verify_iss: true ,
                          aud: aud , verify_aud: true
          })
    
          return myjson
    
        rescue
        end
      end
    
      return nil     
    
    end
    

    Now you can call get_set_user as before action to see , if the user has valid token .
    The idea is simple. Check if the token is signed by one of the keys mentioned at https://www.googleapis.com/robot/v1/metadata/x509/[email protected] . If yes , decode the token and get the firebase id .

    Login or Signup to reply.
  3. I have developed the firebase_id_token gem.
    It deals with all the certificates/signature business.

    It can be used simply as:

    FirebaseIdToken::Signature.verify(token)
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search