Using mail and password to authenticate via the REST API [Firebase]

49
votes

I was wondering whether it is possible to actually authenticate to the Firebase REST API withouth using the custom authentication?

I've worked with Firebase now for some time and I'm currently thinking about migrating a backend of mine to Firebase. The app that uses the backend currently uses a REST API and does not need realtime data at all. Thus I'd like to use only the REST API and not the full Android framework on the clients.

Is it possible to get an auth token using the mail & password authentication of Firebase via HTTP-requests?

In the old docs I've only found a solution with custom login and in the new docs you seem to need a Google Service Account.

Any help or advice appreciated.

5
androidrestfirebasefirebase-authentication
Neither the legacy firebase.com nor the new firebase.google.com SDKs allow you to mint a token via its REST API. You'll have to set up a server/endpoint that mints the token, for example with one of the supported libraries: firebase.google.com/docs/auth/server#create_a_custom_token.Frank van Puffelen
@FrankvanPuffelen Hello Frank, thanks for taking the time to answer. As nloewen stated below and I thought myself you surely use HTTP request inside your SDKs aswell. So there has to be some way, even if it isn't officially supported. But I'll take a look at the custom token generation aswell, thank you.Endzeit

5 Answers

71
votes

Update: Firebase REST authentication is now documented!

View the documentation

Firebase REST authentication

I figured out how to perform email and password authentication for Firebase by examining the requests sent by the Javascript API.

These APIs are undocumented and unsupported

Firebase 3

Firebase 3 authentication is an updated and renamed version of the Google Identity Toolkit. The old documentation is not fully accurate, but may be useful and can be found here: https://developers.google.com/identity/toolkit/web/reference/

Firebase 3 requires all requests to have Content-Type: application/json in the header

API Key

Firebase 3 requires an API key to be attached to all authentication requests. You can find the API key for your database by visiting the Firebase project overview and clicking on "Add Firebase to your web app". You should see a window with code like the following:

<script src="https://www.gstatic.com/firebasejs/live/3.0/firebase.js">    </script>
<script>
  // Initialize Firebase
  var config = {
    apiKey: "<my-firebase-api-key>",
    authDomain: "my-firebase.firebaseapp.com",
    databaseURL: "https://my-firebase.firebaseio.com",
    storageBucket: "my-firebase.appspot.com",
  };
  firebase.initializeApp(config);
</script>

Copy the apiKey value and save it for later.

Registration

Method: POST

URL: https://www.googleapis.com/identitytoolkit/v3/relyingparty/signupNewUser?key=<my-firebase-api-key>

Payload:

{
    email: "<email>",
    password: "<password>",
    returnSecureToken: true
}

Response: 

{
    "kind": "identitytoolkit#SignupNewUserResponse",
    "localId": "<firebase-user-id>", // Use this to uniquely identify users
    "email": "<email>",
    "displayName": "",
    "idToken": "<provider-id-token>", // Use this as the auth token in database requests
    "registered": true,
    "refreshToken": "<refresh-token>",
    "expiresIn": "3600"
}

Login

Method: POST

URL: https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key=<my-firebase-api-key>

Payload:

{
    email: "<email>",
    password: "<password>",
    returnSecureToken: true
}

Response: 

{
    "kind": "identitytoolkit#VerifyPasswordResponse",
    "localId": "<firebase-user-id>", // Use this to uniquely identify users
    "email": "<email>",
    "displayName": "",
    "idToken": "<provider-id-token>", // Use this as the auth token in database requests
    "registered": true,
    "refreshToken": "<refresh-token>",
    "expiresIn": "3600"
}

Get Account Info

Method: POST

URL: https://www.googleapis.com/identitytoolkit/v3/relyingparty/getAccountInfo?key=<my-firebase-api-key>

Payload:

{
    idToken: "<provider-id-token>"
}

Response: 

{
    "kind": "identitytoolkit#GetAccountInfoResponse",
    "users": [
    {
        "localId": "<firebase-user-id>",
        "email": "<email>",
        "emailVerified": false,
        "providerUserInfo": [
        {
            "providerId": "<password>",
            "federatedId": "<email>",
            "email": "<email>",
            "rawId": "<email>"
        }],
        "passwordHash": "<hash>",
        "passwordUpdatedAt": 1.465327109E12,
        "validSince": "1465327108",
        "createdAt": "1465327108000"
    }]
}

Firebase 2

These requests return JSON data described in the Firebase docs. https://www.firebase.com/docs/web/guide/login/password.html#section-logging-in

Login

You can authenticate by sending a GET request with the following format:

https://auth.firebase.com/v2/<db_name>/auth/password?&email=<email>&password=<password>

Registration

User creation can also be performed by sending the same GET request with _method=POST as part of the query string

https://auth.firebase.com/v2/<db_name>/users?&email=<email>&password=<password>&_method=POST
4
votes

From Firebase Guide Authenticate with Firebase on Websites Using a Custom Authentication System (Please see https://firebase.google.com/docs/auth/web/custom-auth)

You can integrate Firebase Authentication with a custom authentication system by modifying your authentication server to produce custom signed tokens when a user successfully signs in. Your app receives this token and uses it to authenticate with Firebase.

Here's the key idea:

1) Add Firebase to your Web Project and use Firebase REST JavaScript SDK for Authentication, and access Storage / Realtime Database with Firebase.

  // TODO: Replace with your project's customized code snippet
  <script src="https://www.gstatic.com/firebasejs/3.0.2/firebase.js"></script>
  <script>
    // Initialize Firebase
    var config = {
      apiKey: '<your-api-key>',
      authDomain: '<your-auth-domain>',
      databaseURL: '<your-database-url>',
      storageBucket: '<your-storage-bucket>'
    };
    firebase.initializeApp(config);
  </script>

2) You app users sign in to your authentication server using their username and password. Your server checks the credentials and returns a custom token if they are valid.

3) After you receive the custom token from your authentication server, pass it to signInWithCustomToken to sign in the user

firebase.auth().signInWithCustomToken(token).catch(function(error) {
  // Handle Errors here.
  var errorCode = error.code;
  var errorMessage = error.message;
  // ...
});
2
votes

If you try through REST API than you have to do all operation in your Apllication .

Just grab the json data and checked your authenticate or not .

use retrofit Get method and just grab all data from your firebase app.

this is my post Rerofit + Firebase which i was posted for the beginner to understand connection of firebase and Retrofit.

OR

Please go through this links it gonna help you .....................

REST auth

User Authnitication

Example

enjoy coding.......

1
votes

You need the return of a Token once you authenticate with your Email & Password, according to the documentation you can return the token of a user with getToken(opt_forceRefresh), is available at the following URL.

https://firebase.google.com/docs/reference/js/firebase.User#getToken

0
votes

I believe you can do one of the following:

  • Connect your web app to Firebase, your REST API will handle the authentication by receiving the user credentials, then authenticating with the Firebase through the web APIs Password Authentication

  • Use the Firebase server SDK to generate custom authentication tokens, the token will be a JSON Web Token (JWT).

There are also projects on GitHub for generating Firebase tokens: