24

I am looking for the Firebase to be authenticated seamlessly across multiple projects with different auth providers.

Example.

Suppose I have a website with 10 pages, with different data coming from 2 firebase projects ( project-1, project-2)

project-1 contains all the Users accounts

When I sign up/Login into firebase project (project-1). I am using Google/Phone/Password/Facebook. this creates users account if not exists.

Now I can see the data coming from the firebase (project-1).

Now few of my pages website want to access data from the project-2.

How to maintain the authentication state across the 2 projects so that, project-2 will get authenticated seamlessly with out prompting signup again. Probably with the same auth token which already created for project-1

I read this blog which was created by Ian Barber Working with multiple Firebase projects in an Android app. Which is only discussed about the google and android case only.

Thanks.

nagabandaru
  • 605
  • 7
  • 20
  • That blog is pretty much the only reference that discusses the use of multiple projects. It should be the same for other platforms using whatever APIs they use for doing custom initialization of the Firebase client SDK. – Doug Stevenson Sep 03 '17 at 20:00
  • 4
    Were you able to find a solution for this ? I have exactly the same problem to handle – Kishan B Jan 27 '19 at 13:25
  • Has anyone found a solution for this? I am also stuck in a similar situation. – Adit Luhadia Apr 05 '21 at 19:11
  • 1
    The solution would be to create a server that uses `firebase-admin` of 2 instances to create/update user data in other project when user logins in 1st project – p2pdops Jun 15 '21 at 03:53
  • You are looking a SSO (Single Sing On) solution. You can probably design something using an "authentication service" then share tokens between apps. I know it's a default option with Auth0 : https://auth0.com/docs/sso – BorisD Jul 24 '21 at 10:08

3 Answers3

2

I think you can do the following:

  • Configure an OIDC provider on project-2 that points out to the firebase auth from project-1 .
    • The issuer should be https://securetoken.google.com/<project-1-id>
    • The client id its the project-1-id
  • After you signIn on project-1 you can use the idToken from that app, to login with an OAuthProvider to the second app (project-2):
      const provider = new OAuthProvider('oidc.project-1');
      const credential = provider.credential({
        idToken: 'idTokenFromProject1',
      });

      signInWithCredential(auth, credential)

idTokenFromProject1 can be fetched through getIdToken() method on the project-1 app

Alejandro Barone
  • 1,743
  • 2
  • 13
  • 24
  • does this code work on the frontend library as well? Currently I am getting a "auth/admin-restricted-operation" error but not sure where the issue could be. Also a small hint for others, the `oidc.project-1' can be something different if you gave your OIDC provider a different name. – dom Jan 30 '23 at 20:31
  • Yeah it do work on the frontend library, I tried myself, what are you doing exactly?. Good eye on the hint!, is exactly as you mentioned, that value can be whatever you want – Alejandro Barone Jan 30 '23 at 23:32
  • I basically just followed your path. Do I need to add some kind of service account or so? Currently I am using the logged in users idToken - maybe I have to use a different idToken? Or how do you retrieve idTokenFromProject1? – dom Feb 01 '23 at 21:50
  • project-1 holds user information and its the one you use to login first. After you login on project 1, you login to project-2 using the above code. When project-2 is loggued you can successfully use all services from that firebase. Is this the path you are following?, did you configure the OIDC provider on project-2? – Alejandro Barone Feb 01 '23 at 23:25
  • Yeah the flow is like following: User logs into project 1 with his credentials (google, facebook etc...), then in project-2 I created an OIDC provider with issuer securetoken.google.com/projec1tId, clientId: project1ID. Then I take the iDToken vom currentUser which is signed in (const token = await firebaseUser.getIdToken();) and try to log in via the new OIDC provider in project 2. Unfortunately then I get the admin-restricted message. Do I need to do something with the callback URL? Or generate the IDToken differently? – dom Feb 02 '23 at 12:36
  • Thats exacly how its suppossed to work, can you log in using "email/password" to validate if the flow works? (not with google or facebook), my tests were only with that method. Can you create another question to share the code you are using and to have better visibility? – Alejandro Barone Feb 02 '23 at 13:24
  • Wrapped it into a new question: https://stackoverflow.com/questions/75335349/singing-in-with-one-login-to-multiple-firebase-projects-respectively-cloud-fires – dom Feb 03 '23 at 11:53
1

You can use a combination of firebase-admin on a server and a custom firebase token as described here.

Essentially, you can get a user's JWT token for your first app using the methods described in this answer. Then you could make a request to your own server that would validate that your JWT token originated from your first project and could then issue you a second JWT token you can use to authenticate with the second project.

Geo
  • 543
  • 5
  • 16
  • can you explain the later part? I tried using `signInWithCustomToken` from the firebase javascript SDK, using project one token to sign in with project two but that didn't work at all ("auth/invalid-custom-token ... The custom token format is incorrect"). – Andresch Serj Oct 25 '21 at 12:14
  • Please post a new question with more information about your specific problem. I referenced using the admin SDK to generate a new JWT token for the second app, after validating the JWT token for the first on a server. Do note that you can't simply transfer JWT tokens from app to app. – Geo Oct 25 '21 at 14:15
0

This is now easily possible with OIDC configuration (reference answer by Alenjadro Barone above )

Configure an OIDC provider on project-2 that points out to the firebase auth from project-1 . The issuer should be https://securetoken.google.com/<project-1-id>

Then You can follow Code below . Its starter but definitely works : -

import 'package:firebase_auth/firebase_auth.dart';
import 'package:firebase_core/firebase_core.dart';
import 'package:flutter/foundation.dart';

// Create secondary firebase app Instance

FirebaseApp secondaryApp = Firebase.app('secondary');

class Auth {

  //  default Firebase Auth app instance: PROJECT 1

  final firebaseAuth = FirebaseAuth.instance;

  //  Secondary Firebase App Instance : PROJECT 2

  FirebaseAuth secondaryFirebaseAuth =
      FirebaseAuth.instanceFor(app: secondaryApp);
  
  
  signin() async {
    //  Sign in method of your choice from PTOJECT 1

    await firebaseAuth.signInWithEmailAndPassword(
      email: "abc@abc.com",//registered user email
      password: "password",//registered user password
    );

    //  Declare OAuth Provider for PROJECT 2
   // name of OIDC provider as set in Project
    final provider = OAuthProvider('oidc.provider');


    try {
      //  get IdToken for signedin user
      final userIdToken = await firebaseAuth.currentUser!.getIdToken();

      //  Get access Token for User using  IdTokenResult
      final idTokenResult = await firebaseAuth.currentUser!.getIdTokenResult();

      final userAccessToken = idTokenResult.token;

      // Create OAuthCredentials with idToken & AccessToken

      final credential = provider.credential(
        idToken: userIdToken,
        accessToken: userAccessToken,
      );

      // Sign in to Secondary app or PROJECT 2
      await secondaryFirebaseAuth.signInWithCredential(credential);
    } catch (e) {
      if (kDebugMode) {
        print("This is error $e");
      }
    }
  }

}
Manish P
  • 96
  • 1
  • 5