Support Firebase JWT token verification

Couple of suggestion/ enhancement which i believe can be beneficial.

  1. Rename Namespace column to claims as it simply corresponds to that. It is rather confusing.
    2.Currently the public key needs to be embedded into Authorization header for dgraph. Many modern services such as Google Firebase provide public urls where multiple pairs are stored along with its kid to find corresponding public key which allows to verify signature of the token. In current shape that is simply not supported. This can either be done via using Firebase SDK or enhancing existing code to lookup claims at runtime/caching.
  2. API token which are generated when creating a service can also be at bare minimum served as Auth mechanism for simple apps.
  3. Provide a recommended way for doing Auth queries for hierarchal data. i.e. What would be performance impact if on each type there is @hasInverse relation to user. Also the cost of querying etc. This would allows new users have best practices guide as a simple TODO do not encompasses.
2 Likes

I am using Firebase Auth as well. (Firebase UI Web to be precise)

So Authentication is working as expected, and I understand Authorization that Dgraph allows us to do via Rules.

However I don’t understand how Dgraph will work with JWT provided by Firebase?
getIdToken(): idTokenResult

Hi @abhijit-kar, so as i was mentioning above. We can manipulate JWT firebase token to include custom claims which can then be used by dgraph. The problem you will run into is rotation of public keys from google end (good security practice) . Because of that dynamic nature dgraph currently doesnt support. So option is either we are limited to use Auth0 or any other method where we have fixed private public keys.

1 Like

Oh, I didn’t know that. :sweat_smile: Fairly new to the game!

Glad you are using Firebase as well, otherwise I wouldn’t have found out.

Also, Firebase Auth rocks, so let’s not use anything else. (Because of ease of use, Firebase UI & Free Auth!)

Thank you @harshadbhatia for your suggestions.

Hi @mrjn,

Is Firebase JWT token support in roadmap for near future release?

@harshadbhatia pointed out that dynamic nature of Firebase JWT is the problem!

& I have pointed out, why Firebase Auth is the best and it deserves to be in the supported list, along with Auth0.

P.S.

1 Like

@harshadbhatia @abhijit-kar,

Thanks for your suggestions. We have marked this as accepted.

2 Likes

In the meantime, can we implement authentication via Firebase in a custom directive?

@minhaj is currently looking into adding support for Firebase Auth. We’ll keep you updated about it.

That should be possible, but we are going to add direct support also soon.

1 Like

Is this near 1-2 months or what is the time-line. According to that I will finalise the auth provider for my project.

1 Like