I'm trying to build an authentication and authorisation system using firebase. I'm using it as we already have a lot of GCP projects.
I've setup a few 'customers/users' in the firebase authentication console using email and password flow. Using this I can send a login request via Postman and get back a JWT. Great.
My problem is that I'd like the JWT to contain some roles/permissions so that I can protect resources on various front end applications. I've done this using angular with dotnet core and entity framework identity, and identity server 4, so I assumed it would be straightforward.
However, I cannot figure this out on firebase. I've spent two days pouring through articles, documentation and chatgpt and still can't find a solution. I'm struggling to even figure out if this is possible. It think it is, but I'm getting lost between the GCP IAM roles that govern access to gcp resources, and what I can apply to the customers in firebase that I can include in the JWT from the firebase API call for front end use.
If anybody actually knows how to do this and can point me in the right direction that would be awesome...
Firebase Authentication allows for a small payload of JSON data to appear as custom claims in a JWT. The documentation discusses this at length. You must use the Firebase Admin SDK (initialized with a service account for the project) or its underlying APIs to set them - you can't do it in the console or using the client APIs.
GCP IAM has nothing to do with Firebase Auth user accounts. They are completely different systems.