使用Firebase Admin SDK进行REST API身份验证 [英] REST api authentication using firebase admin sdk

问题描述

我有一个REST api，并且身份验证是使用jwt令牌完成的.为了使may api更安全(用户和身份验证机制)，我想使用Firebase身份验证.我想知道我们能否将firebase用作我的REST API的身份验证服务器.

I have a REST api and the authentication is done using jwt tokens. To make may api more secure (users and authentication mechanism) I would like to use firebase authentication. I would like to know can we use firebase as a authentication server for my REST APIs.

我的理解是，客户端应用程序会将用户名和密码发送到Firebase服务器，并且它们将提供令牌.使用该令牌客户端应用程序会将api调用发送到我们的服务器.我需要将firebase admin SDK集成到我的服务器中，并使用admin SDK验证令牌以从数据库中获取数据.

My understanding is that the client app will send the username and password to the firebase server and they will provide a token. Using that token client app will send an api call to our server. I need to integrate firebase admin SDK in my server and validate the token using admin SDK to get the data from my database.

如果我做错了，请纠正我.

Please correct me when I am wrong.

此外，我担心如何管理刷新令牌以使我的应用程序保持登录状态.

Also, i have a concern that how to manage refresh tokens to keep my app logged in.

请帮助我以正确的方式进行集成，我正在使用nodejs/expressjs创建API.

Please help me to integrate this in the right way, and I am using nodejs/expressjs to create the APIs.

推荐答案

我们能否将firebase用作我的REST API的身份验证服务器.

can we use firebase as a authentication server for my REST APIs.

是的，这是他们提供的服务之一: https://firebase.google.com/products /auth/

Yes, it's one of the services they provide: https://firebase.google.com/products/auth/

我的理解是，客户端应用程序会将用户名和密码发送到Firebase服务器，并提供令牌.

My understanding is that the client app will send the username and password to the firebase server and they will provide a token.

正确.通常的Firebase身份验证完全在客户端完成.

Correct. The usual Firebase auth is done entirely client side.

但是，如果您需要特定的身份验证机制，例如LDAP/AD或某种其他形式的企业恶作剧，那么您将需要创建自己的令牌，客户端将使用它们来进行身份验证:

But if there is a specific auth mechanism you need such as LDAP/AD or some other form of enterprise shenanigans, then you would need to create your own tokens that the client will use to authenticate: https://firebase.google.com/docs/auth/admin/create-custom-tokens

使用该令牌客户端应用程序会将api调用发送到我们的服务器.

Using that token client app will send an api call to our server.

正确.客户端成功登录并获取其ID令牌后，您需要在服务器端验证ID令牌:通过中间件https://firebase.google.com/docs/auth/admin/verify-id-tokens .

Correct. Once the client has successfully logged in and retrieved their ID tokens, you on the server side need to verify the ID token: https://firebase.google.com/docs/auth/admin/verify-id-tokens via middleware.

此外，我担心如何管理刷新令牌以保持我的应用程序登录.

Also, i have a concern that how to manage refresh tokens to keep my app logged in.

您不必担心，只要客户端使用适当的方法来检索ID令牌即可.例如，在Web端，客户端将调用: https://firebase .google.com/docs/reference/js/firebase.User#getIdToken 其中指出(强调我的意思):

You need not worry about that so long as the client uses the appropriate method to retrieve the ID token. For example, on the Web side the client would call: https://firebase.google.com/docs/reference/js/firebase.User#getIdToken which states (emphasis mine):

如果当前令牌尚未过期，则返回该令牌，否则，它将刷新令牌并返回一个新令牌.

如您所见，客户端Firebase SDK会为您处理一切.在服务器端，您无需跟踪ID令牌，刷新令牌或任何其他内容.您所需要做的就是验证令牌，就是这样.

As you can see, the client side Firebase SDK handles everything for you. There is no need for you on the server side to keep track of ID tokens, refresh tokens, or anything really. All you need to do is verify the token, that's it.

有关服务器端验证的更多详细信息，请参阅我以前的回答:使用NodeJS进行Firebase身份验证

Please see my previous answer for more details on server side verification: Firebase authentication using NodeJS

这篇关于使用Firebase Admin SDK进行REST API身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！