REST service using Spring Security and Firebase Authentication

14
votes

Is there a simple way to integrate Firebase Authentication with Spring Security (for a REST service)?

From what I've read, I'll probably need to use a JWT token (obtained via Firebase), use that to authenticate the Spring service, and finally verify the token within the service via Firebase. But I can't find any (simple) documentation on using JWT with Spring Security.

I'd also like to be able to provide an /auth/login endpoint that uses Basic Auth rather than JWT so that I can obtain a JWT token via Firebase using email/password credentials. But this would mean enabling Basic Auth at one endpoint in the service and JWT Auth at all others. Not sure that's possible.

1
springrestfirebasespring-securityfirebase-authentication
did you think to use a preauthenticated filter? you "trust" to the authentication done by Firebase and then delegate the authorization to spring securityAngelo Immediata

1 Answers

1
votes

Short answer: no.

Long answer: you should create your own JWT, regardless of Firebase. When you receive a JWT from Firebase, verify its integrity. Then, issue your own based on the data in the token. Then you only need to adapt it to various OAuth providers. This way you can avoid round trips to firebase on each request.

For authenticating the user on each request (stateless auth), you add a filter with highest precedence. From the http request you are filtering, get the JWT and verify its integrity. If it's all good, set the authentication in the SecurityContextHolder.