I am working on an application using Firebase and Node as Back-End.
My app has an admin access and I want to create temporary access to users accounts.
I also wanted to have a history of all the logins on users account with infos such as web browser, localisation etc... for security purposes.
My idea is to create a one time use temporary auth token for an user and give it to the auth function from Firebase.
But I want to stay connected as an Admin still, so I thought about an iFrame inside the main window.
I am having trouble finding infos on the web, wanted to know if you had any leads or better ideas/way to do it.
Thanks in advance,
Firebase Authentication on its own does not provide a log of user sign-in actions, but with the new, optional Firebase Authentication with Identity upgrade you get User activity and audit logging. From the feature overview:
User activity and audit logging
Monitor and log administrative access and end-user activity.
When you upgrade your project, you automatically enable admin activity audit logs in Cloud Logging. You can also enable user activity logging on the Authentication Settings page of the Firebase console.
To learn how to view and analyze your logs, see the Cloud Logging documentation.
Creating a custom token for the user you want to impersonate and then using that to sign in should work. If you want to sign in with two different users, you can create two instance of FirebaseApp, and sign in to the auth member for each user.
Related
Right now I am able to get a list of all keycloak users in javascript, but it is a list of all users regardless of online status. Is there any way to get a list of users that are online (or logged in)?
I am trying to create a drop down list with only the online users. I have the list show in the browser, but it is all the user accounts. There could be potentially thousands of user accounts and that wouldn't be useful to scroll through.
You need to search for active login sessions. This could be archieved via Keycloak admin rest API. You could use and Keycloak Admin Console as a reference implementation of Admin API client. Use developer mode in your browser to trace which endpoint should be requested.
Context:
I am currently working on an embeddable widget, something akin to Intercom or
Hotjar, and have the need to authenticate users. Thus far, I got away with
using Passwordless authentication using Firebase auth but users complain that
it's a high friction process, and they'd rather not do it at all. The ideal
authentication solution would be to let users use their Google or Facebook
account and authenticate via OAuth2.
Problem:
Firebase Auth restricts authenticating via 3rd party auth providers if the
domain the user authenticates via is not whitelisted in the authorized domains
list. So if the user puts the code in abc.com, and tries to auth via Google
firebase rejects it because abc.com is not in the whitelist. Whitelisting the
domain of every client is unorthodox. I feel like the way I'm approaching it
is wrong because I can't correctly build up a mental model of how this would
work out. Technically cookies, sessions, etc. are pointless.
Question:
How would I go about providing the ability to let users authenticate via 3rd
party auth providers? Is this even technically possible?
Potential Solutions:
Host the widget at the main app in a dynamic route (the website where the user
would get the widget's code) and render this route as an iframe in the
client's website. (ex: /widgets/{widgetID} would have the widget). I don't
want to do this really because iframes are a serious pain but this sounds like
the most feasible.
I'd like to know more/better solutions to address this particular situation.
It doesn't matter even if it's from a different cloud provider or a different
authentication service. The goal is to authenticate the user from the widget
ideally via a 3rd party auth provider like Google.
EDIT: This is the error that I currently receive:
widget.js:2 auth/unauthorized-domain This domain (xyz.com) is not authorized to run this operation. Add it to the OAuth redirect domains list in the Firebase console -> Auth section -> Sign in method tab.
Based on your use case, you need to verify the domain ownership xyz.com by following this guide
After that you need to add xyz.comto Authorized domains your, as the error message mentioned.
Add it to the OAuth redirect domains list in the Firebase console -> Auth section -> Sign in method tab.
For more information please check this guide
Is not possible enable Google Sign In by using a domain unverified or unauthorized, this is to protect the access to your sites/projects by restricting the usage of the Firebase/Google credentials only for configured domains.
There is no way to disable this setting, Google sign in uses Oauth2 as authentication framework
On my website, I have two portals for login. Portal A is login for learners. Portal B is login for teachers.
Both learners' and teachers' accounts are located in the same Firebase project, in another words, both types of accounts are located in the same authentication space. Both portals use the same simple login code:
firebase.auth().signInWithEmailAndPassword(user_email, user_password).catch(function(error) {})
Currently, the learners can login at both portals, and same for the teachers. What I am trying to do is to prevent the teachers to login at the learners' portal and vice versa. I am not sure how to implement this. I have made a setCustomUserClaim to give an identity to the two types of accounts on the authentication token. But I can only grab the auth token once the user is logged in, not before I think. Also, I have a Firestore collection that stores all the info of the users including their identity. But each user's document is named with their corresponding UID. The latter can be grabbed once they login in as well. Any idea on how to implement this?
Firebase Authentication has no built-in way to distinguish between these two types of users. It simply authenticates the credentials that a user enters, and ensure that they're correct. If certain users can only access a certain application or certain data, this is information that will have to come from you.
The above is important to realize, so I'll repeat it: Firebase Authentication allows all users to authenticate as long as they provide the right credentials. It has no way to block access to authentication based on application-specific information, such as your user-type. This type of authorization logic is part of your application, both in code and (if you use a Firebase Database) of your server-side security rules.
A common way to implement your scenario is to add the information about the types of users to a database (such as Firebase's Realtime Database, or Cloud Firestore). In this data you could for example store the email addresses of all teachers.
Now with this information, your code can then determine whether the person who signed in to the site is a teacher or not. If they're a teacher signing in to the student web site, you can redirect them, and vice versa.
We have a web app that caters to a small set of users that are guaranteed to have an account on Office 365.
To save them from remembering one more password, and to use Microsoft's infrastructure for OAuth, we decided to allow them to login using their Outlook credentials.
It is a react app, we are using the msal library and we have successfully been able to receive the accessToken from Microsoft. (Thus, authenticating the user's identity.)
What I am not confused about now is what I should do with that token:
I need to have my own User database. What information should I store in it? Should I store the access_token as well?
How do I verify the user's identity on my backend server?
Basically, what is the ideal way of managing this kind of a scenario? Wherein a third party authenticator is used (and solely) used to confirm the identity of the user and get the name, profile image and other things only.
Any references to existing workflows or an explanation of the steps involved will be highly appreciated.
I am building a admin panel for a android app in javascript and php in which i created a users table with Firebase Authentication UID so every user key is UID but in this user table i am not inserting Auth Identifier. now in my admin panel how can i retrieve Auth Identifier (Phone Number) using UID(user Key)
An alternative to storing the data in the database (as Qasim answered) is to use the Firebase Admin SDK to look up the user's profile by its UID.
The Firebase Admin SDK runs with administrative privileges, and thus can perform certain sensitive operations that the regular client-side SDKs are not allowed to do. As such, it is meant to be only run in trusted environments, such as your development machine, a server that you control, or Cloud Functions for Firebase. With these last two you could create your own API, that your admin panel then calls. Just be sure to secure the API, because otherwise you're leaking user information.
You can only get the firebase authenticated User info from the current session/user, and if you need to query for it later then you need to save it in your own datastore.
For more details, see this https://www.firebase.com/docs/web/guide/user-auth.html#section-storing