Search code examples
firebase-authenticationflutterlumen

Firebase authentication for private server

I am developoing a flutter app and want to use Firebase auth service to enable my users to signup/login using:

  • email/pass
  • google
  • facebook

I have a lumen backend REST server with MySQL database.

Problem: Going through loads of firebase documentation I cannot understand the whole flow of how this should work.

I can successfully create users using the app and they appear in the firebase console, however, I don't know how to enable them to securely talk to my backend server.

I would expect Firebase to release an access and refresh tokens for me to use for my private communication between the app and backend, like AWS cognito does. Instead, it issues an "ID Token" that is JWT token and should be verified on backend. But what do I do once it is verified?

How do I link my users in my database to the authenticated user? What is the thing to store in the database to map to the authenticated user?

Do I have to generate custom tokens via the Admin SDK?

Or is the ID Token the thing that should be passed from client to backend on each request and then verified? But still, what do I put from this ID token to my database to link the authenticated user with their data?

Solution

  • Here's how I do it now. It works great.

    1. Install Firebase admin sdk on your backend server, if you are using php, here is what I've followed and worked flawlessly: PHP Firebase Admin sdk
    2. Aquire firebase idToken using firebase SDK in your client (app), I've used Firebase auth package for this.
    3. Send idToken to your backend
    4. Use Admin SDK to verify the idToken, if verification is successful it returns a Firebase user object. And you can perform various management actions on it (modify, delete, get different data etc.).
    5. Get uid from the Firebase user object.
    6. Store uid in your database.
    7. Now each time this authenticated user makes a request to your backend server, you attach the idToken to the header of the request.
    8. Each time you verify (see step 4) the idToken on your backend server and if the verification is successful you extract the uid to know which user to query in your database.

    Any comments/improvements on this are welcome :)