Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

REST service using Spring Security and Firebase Authentication

Is there a simple way to integrate Firebase Authentication with Spring Security (for a REST service)?

From what I've read, I'll probably need to use a JWT token (obtained via Firebase), use that to authenticate the Spring service, and finally verify the token within the service via Firebase. But I can't find any (simple) documentation on using JWT with Spring Security.

I'd also like to be able to provide an /auth/login endpoint that uses Basic Auth rather than JWT so that I can obtain a JWT token via Firebase using email/password credentials. But this would mean enabling Basic Auth at one endpoint in the service and JWT Auth at all others. Not sure that's possible.

like image 697
MJ. Avatar asked Nov 23 '16 14:11

MJ.


People also ask

How do I use Firebase authentication in Spring Boot?

Open the Page Enter Your email and password which you have created the Firebase Authentication Dashboard and Click login. This idToken is your Bearer token you can modify it in the SpringBoot project according to your use-case. When you hit this private API you will get a user response with user details.

How does authentication work in Spring Security?

Spring Security provides comprehensive support for authentication. Authentication is how we verify the identity of who is trying to access a particular resource. A common way to authenticate users is by requiring the user to enter a username and password.

Does Firebase Auth use JWT?

The custom JWT returned from your server can then be used by a client device to authenticate with Firebase (iOS+, Android, web). Once authenticated, this identity will be used when accessing other Firebase services, such as the Firebase Realtime Database and Cloud Storage.


1 Answers

Short answer: no.

Long answer: you should create your own JWT, regardless of Firebase. When you receive a JWT from Firebase, verify its integrity. Then, issue your own based on the data in the token. Then you only need to adapt it to various OAuth providers. This way you can avoid round trips to firebase on each request.

For authenticating the user on each request (stateless auth), you add a filter with highest precedence. From the http request you are filtering, get the JWT and verify its integrity. If it's all good, set the authentication in the SecurityContextHolder.

like image 170
Stefa Avatar answered Sep 20 '22 09:09

Stefa