skip to Main Content

I’m starting a new project, and after testing my own JWT Auth, I think OAuth2 with an IdP like Firebase would be a better solution.

I found too much resources, butI’m now a bit confused.

About my Project :

  • Frontend: Vue 3 (with Quasar) + Pinia
  • Backend: FastAPI + firebase-admin
  • Redis, PostgreSQL

Side note:
I think the Diagram 1 make more sense, but I would like the advice of someone more experimented in oAuth. (pro/con of each diagram?)

I’m not familiar with Caching/Redis, but I read on the Auth0 Community, they recommended to cache the tokens, so the IdP will issue less tokens, and it will reduced the cost.

Questions :

  • Which diagram/workflow would be the most secure and would you prefer ?
  • I think it’s possible to cache the tokens at the frontend level, but is it enough secure ?

Diagram 1

Diagram 2

2

Answers


  1. If you use Firebase auth you will use their web SDK (or one of the other client side SDKs) on client side and their admin SDK on server side. Firebase will handle the caching, tokens, etc. When you pass your request to the server the admin SDK can verify the auth before you process the request.

    Login or Signup to reply.
  2. Normally you would create a Firebase user after the getting their OAuth Token. For example, when using Google as the OAuth provider, the first half would be like:

    enter image description here

    See the documentation for complete diagram and flow.

    After you get the response, you can call the sign in user with OAuth credential that will create a user in Firebase Authentication. Thereafter, you can use Firebase’s pair of access and refresh tokens to authenticate user on your backend. See verify Firebase ID Tokens.

    A Firebase ID Token is a JWT generally used as a bearer token that essentially means if you have the token, you have the permission to access given resources. You can just store the tokens on client’s device and send them in API request and verify them every time. Only caching I can think of is storing a key-value pair where key is the token and value is user’s ID so you don’t have to verify the token every time but I would just verify them.


    When using Firebase Client SDKs, you don’t have to deal with all this but just use built it methods like signInWithPopup() and Firebase will do this behind the scenes.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search