Restricting Firebase security to a specific Google Apps domain?

Question

I'm currently looking to use Firebase for an internal application that can only be accessed by employees with a Google Account from our organization.

I have an understanding how I can restrict read/write access only to google logins, e.g.

{
  "rules": {
    ".read": "auth.provider === 'google'",
    ".write": "auth.provider === 'google'"
  }
}

But I can't figure out how to restrict access to a specific domain/organization within Google accounts. I know this can be done at the application level, but given the number of channels we'd use to access the database, I want to enforce the auth at the database level in addition to the application level.

Has anyone done this before? Thanks.

score 12 · Accepted Answer · answered Dec 29 '16 at 15:23

12

You can restrict access for your gmail domain with:

{
  "rules": {
    ".read": "auth.token.email.endsWith('domain.com')",
    ".write": "auth.token.email.endsWith('domain.com')"
  }
}

answered Dec 29 '16 at 15:23

halafi

1,064
2
16
26

score 1 · Answer 2 · answered Sep 27 '15 at 02:31

1

I was also looking for this feature, but it looks like this feature is not available unless you write your own Token/Custom Authentication.

In the future, Firebase states that they "think we have an even better solution." Read more...

answered Sep 27 '15 at 02:31

Garey

11
3

Restricting Firebase security to a specific Google Apps domain?

2 Answers2