This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

"exchange token to token - e.g. Microsoft token to Firebase token"

Posted on 04-01-2022 06:13 AM
optimism
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

Hi Dear Community,

Someone already knows about Apigee's capabilities to "exchange token to token - e.g. Microsoft token to Firebase token"?

I'm aware of pass-through & Generate JWT, but not about "token for token exchange".

As a result of searching through the existing posts here, I've found some relatively close ones as https://www.googlecloudcommunity.com/gc/Apigee/Use-firebase-token-id-in-Apigee/td-p/33896 so far.

thanks!

0 1 170
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

You can build an Apigee API proxy that performs token exchange. Apigee has the ability to verify a JWT signed with RS256 or PS256 using the appropriate public key. If "Microsoft token" means a JWT id token or access token issued by the Microsoft Graph API, then yes, you can build an Apigee proxy that verifies the signature on that token (using the VerifyJWT policy which would access the Microsoft JWKS endpoint) and then makes a decision on what more to do based on the claims within that token.  The next thing to do might be "get another token from some other endpoint" - that might be the Firebase token endpoint. 

Apigee doesn't have a "native" ability to generate and issue Firebase/Firestore tokens. You would want your Apigee API proxy to interact with the documented interfaces for Firebase for getting new tokens.  I am not a Firebase expert but as I understand, in the standard case the Firebase Auth endpoint specifically authenticates users. That user authentication usually involves a username + password.  Often, people avoid constructing their Apigee API proxies to handle user authentication credentials directly. The goal is to limit the transmission of "secrets" to the minimum required. Which means the user should directly authenticate to the Identity Provider (like Firebase, or some other Open ID Connect endpoint). Getting back to the goal of "get another token from some other endpoint", this requirement to avoid handling user credentials within the Apigee proxy means ... Apigee wouldn't be able to directly obtain a token from Firebase. (I think).    

What I understand from reading the documentation is that an actor like an Apigee proxy within a distributed system can construct a specially-formatted JWT, sign it via RS256 with the private key corresponding to a service account (using the GenerateJWT policy), and then transmit that signed JWT back to the client app, which can then exchange that JWT for a Firebase-issued token. In other words, Apigee could assist in the token exchange, though not perform it unilaterally.  If I understand the documentation, the intent for this interaction model is specifically to allow a federated authentication, which is exactly the scenario you're describing: exchanging token for token. This exchange would require that the client app would explicitly participate in this token-for-token exchange. 

I'd be glad to talk through with you the design and implementation of an Apigee API Proxy that performs this token exchange, if you like. It doesn't sound like it would be super complicated. Aside from the specifics of Graph-to-Firebase, token exchange is a somewhat common technical use case for Apigee API Proxies. 

0 Likes
Top Solution Authors
View all