Search code examples
firebasegoogle-app-enginepolymerfirebase-authentication

Using Firebase Authentication with Google App Engine

I'm a newbie so any help appreciated.

I've created an app/service using Google App Engine (node) that returns a simple 'hello world' response, see https://resumetemplatesconverter.appspot.com/

I've also got a Polymer web app that uses Firebase Authentication for sign up, sign in, sign out, etc.

Question is, what is the best way to configure the Google App Engine app/service so that only users authenticated with the Polymer web app can use it?

Thanks.

Solution

  • Firebase (Authorization Server) sends a token (Access Token) back to the client (browser).

    The client now makes a request to your app engine service (Resource Server) with that token.

    What you need to do is to check if the token is valid and if it is valid, return that secret data.

    The OAuth 2.0 spec doesn't clearly define the interaction between a Resource Server and Authorization Server for access token validation:

    Access token attributes and the methods used to access protected resources are beyond the scope of this specification and are defined by companion specifications.

    So for each authentication service (Google, Facebook, GitHub, etc.) you use, you have to look up how to validate the Access Token.

    Example:

    Google

    Request (from your app engine backend)

    https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123

    Response

    {
 // These six fields are included in all Google ID Tokens.
 "iss": "https://accounts.google.com",
 "sub": "110169484474386276334",
 "azp": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
 "aud": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
 "iat": "1433978353",
 "exp": "1433981953",

 // These seven fields are only included when the user has granted the "profile" and
 // "email" OAuth scopes to the application.
 "email": "testuser@gmail.com",
 "email_verified": "true",
 "name" : "Test User",
 "picture": "https://lh4.googleusercontent.com/-kYgzyAWpZzJ/ABCDEFGHI/AAAJKLMNOP/tIXL9Ir44LE/s99-c/photo.jpg",
 "given_name": "Test",
 "family_name": "User",
 "locale": "en"
}

    You can make this plain request from your backend server but it would be better using one of the Google API Client Libraries

    See here for more info regarding Authenticate with a backend server