This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Use firebase token id in Apigee

Posted on 04-15-2019 01:58 AM
viktoria
New Member
Reply posted on --/--/---- --:-- AM

I am using Firebase realtime database to store data. I have Apigee proxy in between client and firebase db. It is working easily to send get data from the database, using Firebase rest API and Apigee proxies. Now I would like to set up an authentication, according Firebase there are two auth methods Google OAuth2 access tokens and Firebase ID tokens. Our read and write abilities are governed by Firebase rules and I would like to use Firebase ID tokens to leverage the use of Firebase rules. How can I use Apigee auth polices and Firebase token id verification together?

1 4 1,358
Topic Labels
4 REPLIES 4

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I believe What you are describing is something we call "Security Mediation."

The idea is that a call from a client may bear one set of credentials, or one kind of token,

and then the Apigee Edge API Proxy can map that credential or token to a different credential or token for the backend system .

I don't know that much about Firebase, but I believe that the Firebase ID token is a JWT ID Token that is issued by Firebase itself.

In this case you have a couple options.

  1. Require the original client to obtain the ID token and pass it through Apigee Edge. In this case Apigee Edge would simply act as a pass-through for purposes of security, and would not check or validate the token.
  2. Require the original client to authenticate with Apigee Edge, and then allow Apigee Edge to authenticate to Firebase with the ID token. In this case the client would authenticate by getting an OAuth token, in the normal way, from Apigee Edge. This token can be a client credentials grant, or any other supported grant type. Once Apigee Edge calls VerifyAccessToken then your API Proxy should insert the firebase ID token into the request that gets sent to the backend. This may replace or overwrite the existing Authorization header in the request.
  3. Require the client to authenticate with both Apigee Edge AND firebase. This seems like too much burden to place on a client developer, but it's possible to do it.

Which you choose...depends on your use case.

For the case in which Apigee Edge must obtain a Firebase ID token, you only need to employ something like a ServiceCallout to call to the Firebase auth service. Do this in the request flow, before the target. For efficiency you should then cache the token, so that the API Proxy is not obtaining a new token for every new request it handles.

Maybe you've already thought of this, and want to know in more detail how to do it. If so, please clarify what you have tried and what obstacle you are facing.

Posted on --/--/---- --:-- AM
viktoria
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

In our current setup I am using Realtime Database REST API to read and write data, users are authenticated using firebase ID token, I choose this authentication method because we want to limit access to individual users and currently are using realtime database rules for limiting access on which data user can access, like this 

<code>curl "https://<DATABASE_NAME>.firebaseio.com/users/ada/name.json?auth=<ID_TOKEN>"

Firebase ID token can be obtained by sending a request 

curl 'https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key=[API_KEY]'\-H 'Content-Type: application/json'\--data-binary '{"email":"[me@example.com]","password":"mypassword","returnSecureToken":true}'
If my credential are correct I get back my idToken and other information 
{"kind":"identitytoolkit#VerifyPasswordResponse","localId":"ZY1ghjgghhhh..","email":"[me@example.com]","displayName":"","idToken":"[ID_TOKEN]","registered":true,"refreshToken":"[REFRESH_TOKEN]","expiresIn":"3600"}

Tokens can be verified using admin sdk that firebase offers or using a third-party JWT library and the public key I can get from here: https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com

In Apigee I can use verify token policy and do a service callout to the url above to get the public key. What would be a good onboarding flow for a developer who shall consume the api? We have set up our developer portal using Apigee, where developer can sign up and get client id and key, how can an API consumer obtain Firebase ID token in a good way and still be able to keep track of who is using our API while using third party token generated by firebase? Overall looking for advice/procedure on how to make authentication flow work with Apigee and Firebase. @Dino-at-Google

Posted on --/--/---- --:-- AM
optimism
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

Hi Dear Community,

I would like to move up this useful topic by asking if someone already knows about Apigee's capabilities to "exchange token to token - e.g. Microsoft token to Firebase token"?

I'm aware of pass-through & Generate JWT, but not about "token for token exchange".

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to optimism
Reply posted on --/--/---- --:-- AM

Sure, Apigee can do that. But your question is an entirely new one.  To get more details, I suggest that you Ask a New Question. 

ask-a-new-question.png