在客户端级别(非最终用户级别)保护 Firebase REST API
[英]Secure Firebase REST APIs at a client level (not end user level)
问题描述
I am trying to create a REST API (via Firebase cloud functions ) and release it to my clients to allow them creating their mobile apps.
我正在尝试创建一个 REST API (通过Firebase 云功能)并将其发布给我的客户,以允许他们创建他们的移动应用程序。 The mobile apps they will be creating are used by public users.他们将创建的移动应用程序由公共用户使用。 However, users are not supposed to deal with our APIs and thus authentication.但是,用户不应该处理我们的 API 和身份验证。 So I don't need end user authentication.所以我不需要最终用户身份验证。 It's up to our clients (app makers) to use a "client id" and an "api key" .我们的客户(应用程序制造商)可以使用“客户端 ID”和“API 密钥” 。 Based on what I have researched, Firebase Admin SDK might not be a good solution for this end since we're concerned about client level authentication.根据我的研究, Firebase Admin SDK可能不是一个好的解决方案,因为我们担心客户端级别的身份验证。
I am looking for a standard solution to generate api-keys for the 3rd party clients.我正在寻找一种标准解决方案来为第 3 方客户端生成 api 密钥。 This key generation is not a manual process but rather a service that clients will use to obtain a key.此密钥生成不是手动过程,而是客户端用于获取密钥的服务。 Something like google map api for 3rd party developers.像谷歌 map api 这样的第三方开发人员。 We want to keep track of whitelisted clients without needing their app users to deal with authentication.我们希望跟踪列入白名单的客户,而不需要他们的应用用户处理身份验证。
I'd appreciate suggestions and guidelines to find the best solution for our REST APIs.我很感激为我们的 REST API 找到最佳解决方案的建议和指南。
1 个解决方案
解决方案1
1 2021-06-01 20:27:53
The first solution that comes to my mind is thew new Firebas App Check .我想到的第一个解决方案是新的Firebas App Check 。 It would restrict any access beside the Apps and Web pages you have whitelisted for your project.它将限制您为项目列入白名单的应用程序和 Web 页面旁边的任何访问。 I don't know if that is possible in your usecase (how the cooperation with the other apps look like) but I would deffinitely try this first.我不知道这在您的用例中是否可行(与其他应用程序的合作情况如何),但我肯定会先尝试一下。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.