How to link user account among google actions, mobile app, backend server and firebase auth?

1
votes

Not sure if this is the right place for this question. This is not necessary 100% coding problem but it is not not a coding problem either. Anyway, here is

The Story: I want to create a shopping system. The user can use the website or the mobile application or the google assistant to get product information and make purchases from this shopping system. The problem I am facing is how can I associate the user among these 3 clients. More specifically for the google assistant/actions.

Things I have done: Using firebase auth for authenticate and login users onto the website or the mobile applications. After the user is authenticated and a firebase access token is available for the website or mobile app to use. The website or the mobile app can send the firebase access token to the backend server, and the backend server can verify this accessToken through firebase admin sdk. Everything is working as expected until I want to introduce the google actions/assistant into play.

For google assistant/actions: I followed this and this for logging the user into the google actions app. At this point, I am able to get user basic profile information if the user logged into the google actions app using their google account.

The Problems:

  1. After I get the user profile such as user id, email, etc, from the google action login, then I query the database on the backend server and if I find a user with this id or email, then this is a valid and authenticated user, and I will allow the user to make purchases through google assistant. Is this approach safe and sound for identifying the user on google actions/assistant?
  2. Assume the above approach is safe and sound, what can I do if the user account was created using other email account instead of google account? i.e. The user initially registered either on the website or mobile application using a non-google email or other Oauth2(fb, twitter, etc) through the firebase auth. In this case, my backend database won't have google account information for the user, and if the user log onto my google actions app using a google account, I will have no way to identify this user in the existing user database.
  3. Is there a way to authenticate/login the user onto the google action app through firebase auth and obtain a firebase access token on the google actions' fulfillment backend server? If there is a way to do this, I suppose the previous problem will not exist because I will be able to use this firbase token to verify the user no matter if the user account was created using google account or other email accounts or other Oauth2 providers.
  4. If all of the above failed, is dumping firebase auth and creating my Oauth 2 service an option and is it going to be the only backup plan available for me?
1
androidauthenticationfirebase-authenticationactions-on-google

1 Answers

2
votes

Some answers to your questions:

  1. If IDs or Email matches - does this identify the user?

    Well, yes and no.

    If the IDs match, then you have verified that the Google ID for the account that logged in matches the Google account you have on record. Great! This is secure and you can trust it.

    If the email matches... well... a much lower degree of confidence. While Google does do opt-in checking, this still seems like you're taking a risk. Email addresses do change over time.

  2. What if they authenticated via some other means?

    Did I summarize that question correctly?

    I guess I'm not sure how you would handle this in any other case. If they're logging into your Assistant app using a different account (not email, account) than they used for the web... they want the two to be different?

    And they can log into your Action using a different Google account than the one they used to setup their device. There are flows that encourage them to use the same one, but they don't have to, and you can fall back to those other flows if you don't have an account on record for the one they use by default.

  3. Can't I just use Firebase Auth?

    Well... no and yes.

    No, there is no way to just tell the Assistant to hand you a Firebase auth token instead of the token it wants to hand you.

    However, you can use Firebase Auth if you're willing to setup your own OAuth2 server. The link to the StackOverflow question above was just trying to work around having to setup an OAuth2 server yourself. If you set one up you can have them login using Firebase Sign-In, generate the token and store it against their Firebase ID, and issue that token to the Assistant client. When you get that token back, you can easily associate it back to the Firebase ID.

    BUT You need to do that work. Neither Firebase nor the Assistant will do it for you.

    (A missed opportunity for Firebase and Google Cloud, imho. But...)

    You've already seen the page for how to build a minimal OAuth2 server.

  4. Should I just dump Firebase Auth?

    There is no need to. You can use Firebase Auth in conjunction with setting up your own OAuth2 server. It is a great base for it! I, personally, use Firebase Auth and Firebase Sign-In (and Firebase Hosting and Firebase Functions) as the basis for my OAuth2 implementation.