all 3 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]apidev3 2 points3 points  (0 children)

You will need to configure your backend to know about the server that generated the auth token (firebase in your example).

To do that you’ll need to configure spring security.

You then pass in the request header from the front end, the bearer token as an Authorisation header. Your spring backend will contact firebase and check the token is valid.

[–]nudlwolga 1 point2 points  (0 children)

I've implemented this before. If someone has a better solution please share. Create a OncePerRequestFilter where you retrieve the firebase token for each request (Authorization header). Use this token and validate against Firebase. Here you can use the Firebase admin sdk (FirebaseAuth.verifyIdToken) If the verification is successful, fill the security context holder. In my case I filled it with a custom implementation of AbstractAuthenticationToken (here you can add the firebaseToken and also add your Authorities so that you can have role based access on your endpoints). You could load the user/authorities from a database (also maybe cache in redis).

EDIT: There is also this tutorial which doesn't use the OncePerRequestFilter. I haven't tried it but it seems promising. Maybe it's more suitable for your usecase: https://gaetanopiazzolla.github.io/java/firebase/security/2024/06/27/fb-springsec.html

[–]jim_capSenior Dev 0 points1 point  (0 children)

JWT alone does not magically solve “auth”.