Firebase authentication untrusted java client with valid Firebase token

2
votes

I'm building a small Java client with a Angular frontend to be distributed to clients.

At the moment I have a login screen via Angular which returns a valid firebase token. Where I'm unsure is how can I use that token to authenticate the user against the Java part of the application, so the Java client can perform actions such as file uploads.

With the Admin SDK I can do something like:

public FirebaseAuth firebaseAuth() throws IOException {
    FileInputStream serviceAccount = new FileInputStream(new ClassPathResource(SERVICE_ACCOUNT_KEY).getFile());

    FirebaseOptions options = new FirebaseOptions.Builder()
            .setCredentials(GoogleCredentials.fromStream(serviceAccount))
            .setDatabaseUrl(String.format("https://%s.firebaseio.com/", DATABASE_NAME))
            .build();

    FirebaseApp.initializeApp(options);

    return FirebaseAuth.getInstance();
}

Which I can then go on the standard flow of of validating the token against Firebase and getting the user details.

Since I'm distributing both the Angular frontend and the Java client to end users, I can't use the Admin SDK.

How do I go about solving this? Is there some other type of flow I should be looking into? or can I make use of the Firebase token somehow?

1
javafirebasefirebase-authenticationfirebase-admin

1 Answers

0
votes

The Firebase Admin SDK doesn't have the ability to scope its access to a single authenticated user. It's intended for use on backend systems that you control fully. Initialized with a service account, it will have permission to do anything that service account can do. It's not intended to be distributed to end users or any entity that you don't trust with full access to your Firebase project.

When it comes to actually authenticating the end user, Firebase Authentication is only meant to be used in the client apps (Android, iOS, web, and derivative environments).