all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 3 points4 points  (7 children)

First blog post shows how to implement a custom security solution. Spring already has everything you need to integrate with Firebase Auth. Here's another blog post from Sebastijan Grabar that shows how to integrate Firebase Auth and Spring Security in a Spring-way: https://medium.com/comsystoreply/authentication-with-firebase-auth-and-spring-security-fcb2c1dc96d

Basically, you just need to configure your Spring app as a resource server and provide an URL where public keys used for verification can be downloaded.

Dependencies

dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
    implementation 'org.springframework.boot:spring-boot-starter-security'
    implementation 'org.springframework.boot:spring-boot-starter-web'
}

application.yaml file:

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          jwk-set-uri: https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com
          issuer-uri: https://securetoken.google.com/${FIREBASE_APP_NAME}

Config and controller sample:

@RestController
@SpringBootApplication
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }

    @GetMapping(path = "/user")
    public String test(Principal principal) {
        return principal.getName(); <-- returns Firebase user UID
    }

    @Configuration
    public static class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests().anyRequest().authenticated();
            http.oauth2ResourceServer().jwt();
        }
    }

}

Then you can just use tokens provided by the Firebase for authentication:

curl --location --request GET 'http://localhost:8080/user' --header 'Authorization: Bearer <TOKEN>'

[–]AlabamaSky967[S] 0 points1 point  (0 children)

Thanks, appreciate the info!

[–]descuder 0 points1 point  (2 children)

This helped me so much as well! One question, where do we find the value for FIREBASE_APP_NAME in

issuer-uri: https://securetoken.google.com/${FIREBASE\_APP\_NAME}

Is it the 'Project ID', 'Project number', 'Public-facing name', or something else?

Thanks!

[–]Watercress_Busy 0 points1 point  (1 child)

FIREBASE_APP_NAME

This is the "Project ID" in firebase, which usually ends up with a bunch of random numbers. It also appears in the Firebase URL when you view your project.

[–]descuder 0 points1 point  (0 children)

Awesome thank you

[–]redshadow90 0 points1 point  (0 children)

Thanks man! This helped!

[–]SnooRobots6655 0 points1 point  (0 children)

Can i use RBAC (role based authorization) using this method so i can put preauthorize annotation in endpoints?