[英]How should I create a new Federated Identity Provider for Firebase Authentication
I would like to integrate PayPal signin into an android app so to authenticate the client to the Firebase Database. 我想将PayPal登录集成到Android应用中,以便对Firebase数据库进行身份验证。 I've managed to create a custom funtion on the node.js server that creates tokens from the provided uid, in order to use "signin withcustomtoken" function in the client application. 我已经设法在node.js服务器上创建了一个自定义函数,该函数从提供的uid创建令牌,以便在客户端应用程序中使用“ signal withcustomtoken”功能。 Should I send the uid to the nodejs server through https in order to get the token? 是否应该通过https将uid发送到nodejs服务器以获得令牌? Is there a better way? 有没有更好的办法?
Don't create an HTTP endpoint that accepts a uid
and returns a custom token. 不要创建接受uid
并返回自定义令牌的HTTP端点。 This is a huge security vulnerability as any attacker would be able to impersonate any user knowing their uid
. 这是一个巨大的安全漏洞,因为任何攻击者都可以模仿任何知道其uid
用户。 What you need to do is the following: 您需要执行以下操作:
signInWithCustomToken
to complete sign in with that custom token. 在客户端上,您需要signInWithCustomToken
来完成使用该自定义令牌的登录。 In this case you are exposing an HTTP endpoint that takes an authorization code and returns a Firebase custom token. 在这种情况下,您将公开一个HTTP终结点,该终结点采用授权代码并返回Firebase自定义令牌。
This is the basic idea (details excluded). 这是基本思想(不包括细节)。 Of course you still have to ensure the flow starts and ends on the same device by passing some state and then check that you get it back in the end. 当然,您仍然必须通过传递某种状态来确保流在同一设备上开始和结束,然后检查是否最终将其取回。 You also have to ensure the auth code is returned to the correct app using something like app links, etc. Firebase Dynamic Links can be helpful there. 您还必须确保使用诸如应用程序链接等之类的东西将身份验证代码返回到正确的应用程序。Firebase动态链接在那里可能会有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.