Support Firebase JWT token verification

Couple of suggestion/ enhancement which i believe can be beneficial.

  1. Rename Namespace column to claims as it simply corresponds to that. It is rather confusing.
    2.Currently the public key needs to be embedded into Authorization header for dgraph. Many modern services such as Google Firebase provide public urls where multiple pairs are stored along with its kid to find corresponding public key which allows to verify signature of the token. In current shape that is simply not supported. This can either be done via using Firebase SDK or enhancing existing code to lookup claims at runtime/caching.
  2. API token which are generated when creating a service can also be at bare minimum served as Auth mechanism for simple apps.
  3. Provide a recommended way for doing Auth queries for hierarchal data. i.e. What would be performance impact if on each type there is @hasInverse relation to user. Also the cost of querying etc. This would allows new users have best practices guide as a simple TODO do not encompasses.
4 Likes

I am using Firebase Auth as well. (Firebase UI Web to be precise)

So Authentication is working as expected, and I understand Authorization that Dgraph allows us to do via Rules.

However I don’t understand how Dgraph will work with JWT provided by Firebase?
getIdToken(): idTokenResult

Hi @abhijit-kar, so as i was mentioning above. We can manipulate JWT firebase token to include custom claims which can then be used by dgraph. The problem you will run into is rotation of public keys from google end (good security practice) . Because of that dynamic nature dgraph currently doesnt support. So option is either we are limited to use Auth0 or any other method where we have fixed private public keys.

1 Like

Oh, I didn’t know that. :sweat_smile: Fairly new to the game!

Glad you are using Firebase as well, otherwise I wouldn’t have found out.

Also, Firebase Auth rocks, so let’s not use anything else. (Because of ease of use, Firebase UI & Free Auth!)

Thank you @harshadbhatia for your suggestions.

Hi @mrjn,

Is Firebase JWT token support in roadmap for near future release?

@harshadbhatia pointed out that dynamic nature of Firebase JWT is the problem!

& I have pointed out, why Firebase Auth is the best and it deserves to be in the supported list, along with Auth0.

P.S.

1 Like

@harshadbhatia @abhijit-kar,

Thanks for your suggestions. We have marked this as accepted.

2 Likes

In the meantime, can we implement authentication via Firebase in a custom directive?

@minhaj is currently looking into adding support for Firebase Auth. We’ll keep you updated about it.

That should be possible, but we are going to add direct support also soon.

1 Like

Is this near 1-2 months or what is the time-line. According to that I will finalise the auth provider for my project.

1 Like

I second that, any rough ETA?

This would be available on master in a week and as part of the 20.11.0 official release that goes out in November.

4 Likes

You guys are awesome. Thanks!

1 Like

Firebase auth is enabled in the master branch. See this PR. We will be updating the docs related to it very soon. Thanks.

Any update on docs for Firebase Auth?

I am trying to comprehend this:

Maybe:

//#Dgraph.Authorization
{
  "VerificationKey": "",
  "Header": "header",
  "Namespace": {
      'USER': user.email,
    },
  "jwkurl": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com",
  "Algo": "RS256"
}

I am so lost on this. I am trying to compare it to Auth0, but it seems you guys have it work in different ways: https://dgraph.io/docs/graphql/todo-app-tutorial/todo-auth0-jwt/

Is it possible without using Firebase Functions or another Server backend? Considering we have Firebase and DGraph already as secured Server backends…

Basic help would be greatly appreciated…

Hey @jdgamble555, First you don’t need to provide Algo when doing authentication with JWKURL.
and Second in the Namespace you need to provide just the namespace for your claims in the JWT. For eg. “https://dgraph.io/claims” as mentioned in the todo-app-tutorial.

Hi @minhaj Thanks for the help, I don’t understand though what I specifically need to do for firebase authentication. I have no idea where to begin as there seem to be a lot of moving parts. I don’t even think that URL is correct… what URL would I use for firebase?

1 Like

1 - You need to set up an application in the firebase console and give your unique project id to the Audience field in the Authorization JSON. And to insert custom claims into your jwt token, you need to set up a firebase function which does that for you.
2- URL given above is correct.

@minhaj Okay, after messing with this for two days, I am still nowhere, although my understanding is someone better.

Here is what I have:

# Dgraph.Authorization {
"VerificationKey":"",
"Header":"X-Firebase-Token",
"Namespace":"",
"jwkUrl": "whatever-client-x509-url-is",
"Algo":"",
"Audience":["my-firebase-project-name"]
}

1.) I went to Firebase Console > Settings > Service accounts > Firebase Admin SDK > Generate new private key
2.) I downloaded the file and copied the client_x509_cert_url into jwkUrl according to the github.
3.) My schema:

type Todo @withSubscription @auth(
    query: { rule: """
        query($email: String!) {
            queryTodo {
                user(filter: { username: { eq: $email } }) {
                    __typename
                }
            }
        }"""}), {
    id: ID!
    value: String! @search(by: [fulltext])
    completed: Boolean! @search
    user: User!
}

type User @withSubscription {
    username: String! @id @search(by: [hash])
    name: String @search(by: [exact])
    todos: [Todo] @hasInverse(field: user)
}

You do not need to generate a function in firebase, as you can do this on the frontend with Angular / React by running some form of user.getIdToken(). This includes the userId and email by default, however there is NO namespace. The token looks something like this:

{
 "name": "Jonathan Gamble",
 "picture": "https://lh3.googleusercontent.com/a-/..."
 "iss": "https://securetoken.google.com/my-app",
 "aud": "my-project-name",
 "auth_time": 1606358478,
 "user_id": "F2isYDFZAdZPNq...",
 "sub": "F2isYDFZAdZPNq3Ql5q...",
 "iat": 1606362935,
 "exp": 1606366961,
 "email": "myemail@something.com",
 "email_verified": true,
 "firebase": {
  "identities": {
   "google.com": [
    "1028632529678233276"
   ],
   "email": [
    "myemail@something.com"
   ]
  },
  "sign_in_provider": "google.com"
 },
 "jti": "cd1dfce4-de7c-44b7-9aa1-730sa"
}

And of course I am sending “X-Firebase-Token: myToken” to the header of apollo graphql. My app uses the email as the username.

So maybe the lack of a namespace is the problem? I do not generate any results, unless I remove the query rule in my schema. Has anyone gotten firebase auth to work? Again, any help is appreciated, I am so close…