使用Firebase Admin SDK进行REST API身份验证
[英]REST api authentication using firebase admin sdk
问题描述
I have a REST api and the authentication is done using jwt tokens. 
我有一个REST API,并且身份验证是使用jwt令牌完成的。 To make may api more secure (users and authentication mechanism) I would like to use firebase authentication. 为了使may api更安全(用户和身份验证机制),我想使用Firebase身份验证。 I would like to know can we use firebase as a authentication server for my REST APIs. 我想知道我们能否将firebase用作我的REST API的身份验证服务器。
My understanding is that the client app will send the username and password to the firebase server and they will provide a token. 我的理解是,客户端应用程序会将用户名和密码发送到Firebase服务器,并提供令牌。 Using that token client app will send an api call to our server. 使用该令牌客户端应用程序会将api调用发送到我们的服务器。 I need to integrate firebase admin SDK in my server and validate the token using admin SDK to get the data from my database. 我需要将firebase admin SDK集成到服务器中,并使用admin SDK验证令牌以从数据库中获取数据。
Please correct me when I am wrong. 如果我做错了,请纠正我。
Also, i have a concern that how to manage refresh tokens to keep my app logged in. 另外,我担心如何管理刷新令牌以保持我的应用程序登录。
Please help me to integrate this in the right way, and I am using nodejs/expressjs to create the APIs. 请帮助我以正确的方式集成它,并且我正在使用nodejs / expressjs创建API。
1 个解决方案
解决方案1
11 已采纳 2018-05-29 03:11:57
can we use firebase as a authentication server for my REST APIs.
Yes, it's one of the services they provide: https://firebase.google.com/products/auth/ 是的,这是他们提供的服务之一: https : //firebase.google.com/products/auth/
My understanding is that the client app will send the username and password to the firebase server and they will provide a token.
Correct. 正确。 The usual Firebase auth is done entirely client side. 通常的Firebase身份验证完全在客户端完成。
But if there is a specific auth mechanism you need such as LDAP/AD or some other form of enterprise shenanigans, then you would need to create your own tokens that the client will use to authenticate: https://firebase.google.com/docs/auth/admin/create-custom-tokens 但是,如果您需要特定的身份验证机制,例如LDAP / AD或其他某种形式的企业恶作剧,则您需要创建自己的令牌,客户端将使用该令牌进行身份验证: https : //firebase.google.com/ docs / auth / admin / create-custom-tokens
Using that token client app will send an api call to our server.
Correct. 正确。 Once the client has successfully logged in and retrieved their ID tokens, you on the server side need to verify the ID token: https://firebase.google.com/docs/auth/admin/verify-id-tokens via middleware. 客户端成功登录并获取其ID令牌后,您需要在服务器端验证ID令牌:通过中间件https://firebase.google.com/docs/auth/admin/verify-id-tokens 。
Also, i have a concern that how to manage refresh tokens to keep my app logged in.
You need not worry about that so long as the client uses the appropriate method to retrieve the ID token. 只要客户端使用适当的方法来检索ID令牌,您就不必担心。 For example, on the Web side the client would call: https://firebase.google.com/docs/reference/js/firebase.User#getIdToken which states (emphasis mine): 例如,在Web端,客户端将调用: https : //firebase.google.com/docs/reference/js/firebase.User#getIdToken ,其中指出(强调我的意思):
Returns the current token if it has not expired, otherwise this will refresh the token and return a new one .
As you can see, the client side Firebase SDK handles everything for you. 如您所见,客户端Firebase SDK会为您处理一切。 There is no need for you on the server side to keep track of ID tokens, refresh tokens, or anything really. 在服务器端,您无需跟踪ID令牌,刷新令牌或任何其他内容。 All you need to do is verify the token, that's it. 您需要做的就是验证令牌,仅此而已。
Please see my previous answer for more details on server side verification: Firebase authentication using NodeJS 请参阅我以前的答案以获取有关服务器端验证的更多详细信息: 使用NodeJS进行Firebase身份验证
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.