what is the difference between firebase authentication and firebase admin?
As far as I know, firebase admin has authentication features and it can bypass security, unlike firebase authentication. And firebase admin is implemented in server-side while firebase authentication is mostly at the client side.
I want to know why firebase authentication should be at client side and why we should use firebase authentication instead of firebase admin for authentication feature.
Firebase Authentication is a product that allows you to write code to get your users logged into your app, and limit user access to resources in other Firebase products. SDKs are provided for a variety of platforms.
Fireabse Admin is an SDK that allows you to write code on your backend that manipulates data in Firebase and Google Cloud services (such as Realtime Database, Firestore, Cloud Storage, and Cloud Messaging). As you said, it's for backend only, and bypasses normal security measures established for client apps.
The reason why you can't use the Firebase Admin SDK in your app is because you would have to ship private credentials with your app in order for the SDK to operate. Shipping your credentials in your app is a massive security hole - don't do it. Keep them safe on your backend where malicious users can't reverse engineer your code and use your credentials.
Firebase Authentication
Firebase authentication is used in client application to identify a particular user. And it is used to limit resources on the firebase. So it is strictly on the end user area.
Firebase Admin
Firebase admin is on the other hand, it is purely for backend. You can use it to define custom logic to Firebase and you can modify Firebase services to meet your needs. The following are some usecase scenario.
1. User Management
It is not always convenient to have to visit the Firebase console in order to manage your Firebase users. The admin user management API provides programmatic access to those same users. It even allows you to do things the Firebase console cannot, such as retrieving a user's full data and changing a user's password, email address or phone number.
2. Custom Authentication
You can integrate an external user system with Firebase. For example, you may already have a pre-existing user database or you may want to integrate with a third-party identity provider that Firebase Authentication doesn’t natively support.
3. Identity Verification
Firebase Authentication is primarily used to identify users of your app in order to restrict access to other Firebase services, such as the Firebase Realtime Database and Cloud Storage. But you can also use the service to identify these users on your own server. This lets you securely perform server-side logic on behalf of users that have signed in with Firebase Authentication.
4. Custom User Claims
In some cases, you may want to implement fine-grained access control for users already signed in with one of the supported Firebase auth providers such as Email/Password, Google, Facebook, phone, etc. A combination of custom user claims and application security rules provides this capability. For example, a user signed in with Firebase Auth's Email/Password provider can have access control defined using custom claims.
For more information see at firebase doc
