问题
I have been trying to implement an OAuth 2.0 authentication process into my app.
We have a backend server with REST API, fully coded in Java and with Spring integrated.
The app is registered on Firebase (I can access it through the Console) and I have successfully implemented the Google SignIn process and the Email/Password (users get added in my userbase as displayed in the Firebase Console).
My problem here is most probably my poor understanding of the OAuth process: as I understand it, I am supposed to use FirebaseUser.getIdToken(bool) from within the app to get the JWT (JSON Web Token) that I send over (through HTTP Post) to the backend server for a user-request that would require authentication (something such as sending an information that our server should save in our User-Database in the row related to the UID associated with the user sending the request).
I believe this doc is the one I'm supposed to follow to achieve my goal. However, this part of the code snippets presented in the doc leaves me confused:
FirebaseUser mUser = FirebaseAuth.getInstance().getCurrentUser();
mUser.getIdToken(true)
.addOnCompleteListener(new OnCompleteListener<GetTokenResult>() {
public void onComplete(@NonNull Task<GetTokenResult> task) {
if (task.isSuccessful()) {
String idToken = task.getResult().getToken();
// Send token to your backend via HTTPS
// ...
} else {
// Handle error -> task.getException();
}
}
});
- The
idTokenI'm getting is 1232 chars long. Am I obligated to send the whole String? The structure looks like this:{alg,kid}.{iss,name,picture,aud,auth_time,user_id,sub,iat,exp,email,email_verified,firebase{...}}.XXX. There are quite a few fields that I would trim down since I won't be using them on the server-side. - I can't seem to get the "XXX" part right of my idToken for now. I know it's related to a digital signature and that I probably need a Public Key, and a Private Key (not quite sure where to get the good ones yet). How do I deal with that?
- What might the
// Send token to your backend via HTTPSlook like (a simple URL containing the String, or is there a proper way to send the JWT)? - Is the JWT all the server needs to receive from the client for the authentication process?
- Can I send additional information with the JWT (such as what the authentication should do once it is verified)? If not, should I assume that that is done after the server replies back to the client that it is now waiting for a request from the now-authenticated user?
- I've seen people calling some URL to verify their token but I'm uncertain which URL I should use, which token I should pass in it, and what I should expect as a result. Maybe
https://www.googleapis.com/oauth2/v1/userinfo?access_token=1/fFBGRNJru1FQd44AzqT3Zgorhttps://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123? - What is the role of the
Admin SDKin all that?
I thought I was over and that this was all I needed until I stumbled upon this other doc which brings other questions:
DoesApparently yes!implementation 'com.google.firebase:firebase-admin:6.3.0'only need to be in the server-side code?- Where do I plug my
firebase-adminsdk.jsonfile in all that? In the Firebase Admin SDK set up code provided by Google. FileInputStream serviceAccount = new FileInputStream("path/to/serviceAccountKey.json");andFileInputStream refreshToken = new FileInputStream("path/to/refreshToken.json");: which JSON file do I plug in there? The one mentioned just above!- Does my server need to have the
google_services.jsonintegrated? - This seems to mostly be talking about using Firebase's
Database. Is it doable to use my own DB (it's a MySQL hosted on GoDaddy)? Yes!
I'm so sorry if that's a lot of questions. I'm a bit new around here.
来源:https://stackoverflow.com/questions/51413567/confusion-on-how-to-use-idtoken-properly