Firebase Authentication - The secure way

Transcript

1. Firebase Authentication - The secure way Wisdom Arerosughene, Wide Stack

   Developer

2. I have a thing for Firebase (Authentication) ➔ C# library

   for Firebase Authentication (Open Source Project) ➔ Node JS SDK for Firebase Authentication (Open Source Project) ➔ Intro to Firebase for Web (Talk and Open Source Project) ➔ Firebase for Beginners (CodeLab) ➔ Firebase Authentication for Java SDK (in progress) Wisdom Arerosuoghene Medium, Facebook, Twitter, Github @itswisdomagain

3. Authentication should be easy And it can be! • Email-password

   authentication • Federated identities authentication (Facebook, Google, Github, Twitter) • Phone number authentication • Anyone missing? Add it. No, really. Add it.

4. For the sake of clarity... Authentication is used to affirmatively

   verify the identity of a user Authorization is used to verify a user’s right to access and/or modify a resource

5. Play safe! Client side or server side? • Use SSL

   (Https) • Exposes apiKey • Exposes config • Use SSL (Https) • apiKey hidden • Config info protected

6. If you expose your api key, it becomes easier for

   anyone to create user accounts indiscriminately. You can no longer rely on Firebase token verification for complete user authentication and authorization.

7. Move to the Server

8. All you need is the ability to call APIs. Fun

   fact The Firebase client SDKs call the Firebase REST API under the hood

9. Welcome to Firebase REST https://firebase.google.com/docs/reference/rest/auth/

10. Now you can rest easy - HTTPS encrypts your communication

    - Server-side authentication keeps your attackers moping - Change authentication stack anytime without having to ask your users to upgrade their app Look at them Come and hijack my authentication again na.

11. That’s all from me I’m out. - itswisdomagain.github.io