4

First of all, I am new to OAuth and Firebase. I googled a bit to find OAuth login for Social media that are not officially supported by Firebase, eg. LinkedIn and Wechat. But all I can find is Custom Authentication that I don't fully understand. :(

It mentions that

This method of authentication is useful in cases where you are already managing user accounts on your server, where you have more advanced authentication needs, or for authenticating server-side workers.

Does this mean I must have my own server to authenticate?

If the answer is yes, how is the workflow like for the authentication in which a mobile app, my own server, Firebase and OAuth authorization server (eg. from LinkedIn) are involved?

Kyle
  • 379
  • 6
  • 17
  • If you don't already have an authentication system in place, or know how to build one, then signing your own tokens (i.e. custom auth) is probably not what you need. – Kato Mar 21 '15 at 17:52

1 Answers1

4

Yes, you'll need a server for authentication. There at least two distinct API calls you need to make:

  1. Authenticate the user via OAuth with a provider. The user will then be redirected to your callback URL. You specify this url with the provider. For LinkedIn, see this page, they refer to the callback URL as a trusted endpoint.
  2. Once the user is redirected to the callback URL, you generate your JSON Web Token (JWT) server side, following the examples given by Firebase (see this page), i.e. if you're using ruby
require "firebase_token_generator"

payload = {:uid => "1", :auth_data => "foo", :other_auth_data => "bar"}

generator = Firebase::FirebaseTokenGenerator.new("<YOUR_FIREBASE_SECRET>")
token = generator.create_token(payload)

Then, push this token to your user. As far as implementing this for a mobile app goes, just include this token in a JSON response to your client after they hit the callback URL. You'll likely need to use a WebView to authenticate the user with your provider, then intercept the response by overriding the method shouldInterceptRequest in your WebViewClient. Read the WebViewClient documentation for more info

You will need your own server for actions involving your Firebase Secret. Do not store this client-side. Indeed, note what is stated on the Firebase Custom Authentication page:

Firebase JWTs should always be generated on a trusted server so that the Firebase Secret which is needed to generate them can be kept private.

For more information regarding OAuth see OAuth 2 Simplified, or the SO question On a high level, how does OAuth 2 work?

Community
  • 1
  • 1
Patrick McLaren
  • 978
  • 10
  • 22