如何为Firebase身份验证创建新的联合身份提供程序 [英] How should I create a new Federated Identity Provider for Firebase Authentication

问题描述

我想将PayPal登录集成到android应用中，以便对Firebase数据库进行客户端身份验证.我已经设法在node.js服务器上创建了一个自定义功能，该功能从提供的uid创建令牌，以便在客户端应用程序中使用"signin withcustomtoken"功能.是否应该通过https将uid发送到nodejs服务器以获取令牌?有更好的方法吗?

I would like to integrate PayPal signin into an android app so to authenticate the client to the Firebase Database. I've managed to create a custom funtion on the node.js server that creates tokens from the provided uid, in order to use "signin withcustomtoken" function in the client application. Should I send the uid to the nodejs server through https in order to get the token? Is there a better way?

推荐答案

不要创建接受uid并返回自定义令牌的HTTP端点.这是一个巨大的安全漏洞，因为任何攻击者都可以假冒任何知道其uid的用户. 您需要执行以下操作:

Don't create an HTTP endpoint that accepts a uid and returns a custom token. This is a huge security vulnerability as any attacker would be able to impersonate any user knowing their uid. What you need to do is the following:

1. 实施Paypal OAuth代码流程.您可以为此使用第三方库.
2. 获得贝宝OAuth授权代码后，将其发送到后端，您使用贝宝客户端ID和密码来交换贝宝刷新令牌和访问令牌.然后，您可以获得与该贝宝用户相关联的用户信息，包括他们的贝宝uid.然后，您将使用Firebase Admin SDK创建一个Firebase自定义令牌，并将其返回给客户端.
3. 在客户端上，您将signInWithCustomToken使用该自定义令牌完成登录.

1. Implement a paypal OAuth code flow. You can use third party libraries for that.
2. When you get the paypal OAuth authorization code, you send it to your backend, you use the paypal client ID and secret to exchange for a paypal refresh token and access token. You can then get the user info associated with that paypal user including their paypal uid. You would then mint a Firebase custom token using the Firebase Admin SDKs and return it to the client.
3. On the client you would signInWithCustomToken to complete sign in with that custom token.

在这种情况下，您将公开一个HTTP终结点，该终结点采用授权代码并返回Firebase自定义令牌.

In this case you are exposing an HTTP endpoint that takes an authorization code and returns a Firebase custom token.

这是基本思想(不包括细节).当然，您仍然必须通过传递某种状态来确保流在同一设备上开始和结束，然后检查是否最终将其取回.您还必须确保使用诸如应用程序链接等之类的东西将身份验证代码返回到正确的应用程序.Firebase动态链接在那里可能会有所帮助.

This is the basic idea (details excluded). Of course you still have to ensure the flow starts and ends on the same device by passing some state and then check that you get it back in the end. You also have to ensure the auth code is returned to the correct app using something like app links, etc. Firebase Dynamic Links can be helpful there.

这篇关于如何为Firebase身份验证创建新的联合身份提供程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！