How to integrate firebase authentication with google app engine endpoints

Question

I am writing a backend server for mobile applications. The backend is running on google app engine and written in Java.

I want users to be able to login with federated identity such as facebook.

I saw that google supports this kind of authentication for mobile apps via firebase authentication. What would be the best way to integrate firebase authentication with my current app engine endpoints?

I already use the cloud platform's datastore and don't wish to work with the firebase database, only use the authentication method.

Thanks.

Answer 1

I'm also looking for an answer to this. My best 5c so far is to

• Use FireBase to set up sign in methods etc. from the console
• Use FireBase UI (in beta) for web or "Federated identity provider integration" for iOS/Android to set up the authentication flow
• Retrive token/authentication details on your web/iOS/Android client and pass it on to your Cloud Endpoints as e.g., HTTP Request Headers
• Inject the javax.servlet.http.HttpServletRequest to your endpoint methods (just add an argument and Google with inject the request object automatically)
• Create a method that your Endpoint will call for each request (that needs authentication) that will handle the validation of the credentials you have passed on as HTTP Request Headers
• Use FireBase Java SDK to call FireBase to validate the credentials (in order to do this, you need to export the json configuration from the Firebase console) and load the SDK with them, e.g., in one of your servlets:

@Override
    public void init(ServletConfig config) {
        try{
        InputStream in = config.getServletContext().getResourceAsStream("/WEB-INF/firebase-privatekey.json");
        FirebaseOptions options = new FirebaseOptions.Builder()
                .setServiceAccount(in)
                .setDatabaseUrl("YOUR_DATABASE_URL")
                .build();
        FirebaseApp.initializeApp(options);
        log.info("Authentication enabled");
        }
        catch(Throwable t) {
            t.printStackTrace();
            log.warning("AUTHENTICATION DISABLED. Only public resources will be available");
        }
    }

Answer 2

You should be able to use Google Cloud Endpoints as an authentication proxy in front of your app. Endpoints supports validating Firebase Authentication tokens by configuring your OpenAPI template:

# Configure Firebase as an AuthN provider
securityDefinitions:
    firebase:
      authorizationUrl: ""
      flow: "implicit"
      type: "oauth2"
      # Replace YOUR-PROJECT-ID with your project ID in the issuer and audiences fields
      x-google-issuer: "https://securetoken.google.com/YOUR-PROJECT-ID"
      x-google-audiences: "YOUR-PROJECT-ID"
      x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/[email protected]"

# Add Firebase as an authN provider to specific endpoints...
security:
  - firebase: []

Alternatively, you can use the Firebase Admin SDK to write authentication middleware that validates your tokens:

FirebaseAuth.getInstance().verifyIdToken(idToken)
    .addOnSuccessListener(new OnSuccessListener<FirebaseToken>() {
        @Override
        public void onSuccess(FirebaseToken decodedToken) {
            String uid = decodedToken.getUid();
            // ...
        }
});