How to Generate an Auth Token Using Jwt for Google Firebase

Use firebase with a third party JWT token

Firebase actually has a detailed explanation on Authenticating with Firebase in JavaScript Using a Custom Authentication System which is what you are planning to do. You verify that third party token and then create a custom token using signInWithCustomToken(). Then you can signInWithCustomToken() and use features like Firebase security rules with Firebase Authentication.

Firebase & Postman | Generate JWT for Google Identity OAuth 2.0 token

Thanks to @JohnHanley. I managed to generate the token. This is not entirely withing Postman (I am still relying on jwt.io to generate the jwt).

1. after creating service account here. add a key and download the p12 file (not json). The default secret is notasecret

2. convert p12 to pem and extract the public key:
   
   $openssl pkcs12 -in postman-admin-private.p12 -out postman-admin-private.pem -nodes

$openssl rsa -in postman-admin-private.pem -outform PEM -pubout -out postman-admin-public.pem

3. Open both pem files and copy the private and public keys into jwt.io (using RSA256 option)

4. Make sure you use the email address of the service account in iss field

5. Here is the request in postman:

   curl --location --request POST 'https://oauth2.googleapis.com/token?grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion='{generated jwt}'

next would be to make it entirely within Postman. I have not tried that but this post seems to be an option

Simple way to get a firebase auth token (development)

If you're using Postman, why not:

1. Create a user via the Firebase Auth web console
2. Create a request in Postman that logs in via the Firebase Auth REST API?

Something like POST to https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=[API_KEY] with body:

{
    "email": "abc@def.com",
    "password":"password",
    "returnSecureToken":true
}

How to add custom claims in JWT/idToken obtained from google workspace login

token in the result of result.user.getIdTokenResult() method contains custom claims added in authClient.functions().beforeSignInHandler handler in GCP cloud function. I was checking result.credential.idToken which doesn't contain any custom custom claims.

Another much better method to pass custom claims is to use Google workspace SAML app integration with Google Identity Platform. This way can pass any Google Directory attribute (built-in or custom) to Identity platform without creating any cloud function (Although this approach still supports extension via cloud functions)

Example jwt with custom claims (where you can see stackoverflowRole in sign_in_attributes provided by our SAML provider which is google workspace):

{
  "iss": "https://securetoken.google.com/some-project-123456",
  "aud": "some-project-123456",
  "auth_time": 1657706938,
  "user_id": "someuserid",
  "sub": "someuserid",
  "iat": 1657706938,
  "exp": 1657710538,
  "email": "someuser@customdomain.com",
  "email_verified": true,
  "firebase": {
    "identities": {
      "saml.customdomain.com": [
        "someuser@customdomain.com"
      ],
      "email": [
        "someuser@customdomain.com"
      ]
    },
    "sign_in_provider": "saml.customdomain.com",
    "sign_in_attributes": {
      "firstName": "Abdul",
      "lastName": "Rauf",
      "groups": "custom-superuser",
      "stackoverflowRole": "superuser"
    }
  }
}

Reference:

Obtaining/using Firebase JWT

Firebase indeed keeps the JWT in local storage.

JSON.parse(localStorage.getItem("firebase:session::<app-name>")).token

You can also get it from the authData, where it is available as the value of the token property.

ref.onAuth(function(authData) { console.log(authData.token); })

But the preferred way is to do what Chris said in the comments:

ref.getAuth().token

---

Related Topics