Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Firebase Authentication - The secure way

Firebase Authentication - The secure way

Implementing firebase authentication in your server isn't such a bad idea; actually it may be a preferred approach if you're building a security-sensitive system. An overview of this approach is provided in this presentation.

Df655051d724417a7c34091b6007e7ae?s=128

Wisdom Arerosuoghene

November 14, 2017
Tweet

Transcript

  1. Firebase Authentication - The secure way Wisdom Arerosughene, Wide Stack

    Developer
  2. I have a thing for Firebase (Authentication) ➔ C# library

    for Firebase Authentication (Open Source Project) ➔ Node JS SDK for Firebase Authentication (Open Source Project) ➔ Intro to Firebase for Web (Talk and Open Source Project) ➔ Firebase for Beginners (CodeLab) ➔ Firebase Authentication for Java SDK (in progress) Wisdom Arerosuoghene Medium, Facebook, Twitter, Github @itswisdomagain
  3. Authentication should be easy And it can be! • Email-password

    authentication • Federated identities authentication (Facebook, Google, Github, Twitter) • Phone number authentication • Anyone missing? Add it. No, really. Add it.
  4. For the sake of clarity... Authentication is used to affirmatively

    verify the identity of a user Authorization is used to verify a user’s right to access and/or modify a resource
  5. Play safe! Client side or server side? • Use SSL

    (Https) • Exposes apiKey • Exposes config • Use SSL (Https) • apiKey hidden • Config info protected
  6. If you expose your api key, it becomes easier for

    anyone to create user accounts indiscriminately. You can no longer rely on Firebase token verification for complete user authentication and authorization.
  7. Move to the Server

  8. All you need is the ability to call APIs. Fun

    fact The Firebase client SDKs call the Firebase REST API under the hood
  9. Welcome to Firebase REST https://firebase.google.com/docs/reference/rest/auth/

  10. Now you can rest easy - HTTPS encrypts your communication

    - Server-side authentication keeps your attackers moping - Change authentication stack anytime without having to ask your users to upgrade their app Look at them Come and hijack my authentication again na.
  11. That’s all from me I’m out. - itswisdomagain.github.io