Firebase Authentication

Firebase Authentication provides backend services, easy-to-use SDKs, and ready-made UI libraries to authenticate users to your Firebase app.

The Security Firebase starter uses Spring Security OAuth 2.0 Resource Server functionality to extract user identity from OAuth2 Authorization header.

The Firebase JWT tokens are validated with rules presented here. The following claims are validated automatically:

  • Expiration time: Must be in the future

  • Issued-at time : Must be in the past

  • Audience : Must be the firebase project id

  • Issuer: Must be "https://securetoken.google.com/<projectId> "

  • Authentication time : Must be in the past

  • Subject : Must not be empty

If you create a custom WebSecurityConfigurerAdapter, enable extracting user identity by adding .oauth2ResourceServer().jwt() configuration to the HttpSecurity object. If no custom WebSecurityConfigurerAdapter is present, nothing needs to be done because Spring Boot will add this customization by default.

Starter Maven coordinates, using Spring Cloud GCP BOM:

<dependency>
    <groupId>com.google.cloud</groupId>
    <artifactId>spring-cloud-gcp-starter-security-firebase</artifactId>
</dependency>

Starter Gradle coordinates:

dependencies {
    implementation("com.google.cloud:spring-cloud-gcp-starter-security-firebase")
}

Configuration

The following properties are available.

Modifying public-keys-endpoint property might be useful for testing, but the defaults should not be changed in production.
Name Description Required Default

spring.cloud.gcp.security.firebase.project-id

Overrides the GCP project ID specified in the Core module.

false

spring.cloud.gcp.security.firebase.public-keys-endpoint

Link to Google’s public endpoint containing Firebase public keys.

true

https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com

Sample

A sample application is available. This sample app provides simple login page using firebase-ui to fetch the JWT token.