Firebase Authentication

Firebase Authentication provides backend services, easy-to-use SDKs, and ready-made UI libraries to authenticate users to your Firebase app.

The Security Firebase starter uses Spring Security OAuth 2.0 Resource Server functionality to extract user identity from OAuth2 Authorization header.

The Firebase JWT tokens are validated with rules presented here. The following claims are validated automatically:

  • Expiration time: Must be in the future

  • Issued-at time : Must be in the past

  • Audience : Must be the firebase project id

  • Issuer: Must be "<projectId> "

  • Authentication time : Must be in the past

  • Subject : Must not be empty

If you create a custom WebSecurityConfigurerAdapter, enable extracting user identity by adding .oauth2ResourceServer().jwt() configuration to the HttpSecurity object. If no custom WebSecurityConfigurerAdapter is present, nothing needs to be done because Spring Boot will add this customization by default.

Starter Maven coordinates, using Spring Framework on Google Cloud BOM:


Starter Gradle coordinates:

dependencies {


The following properties are available.

Modifying public-keys-endpoint property might be useful for testing, but the defaults should not be changed in production.
Name Description Required Default

Overrides the Google Cloud project ID specified in the Core module.


Link to Google’s public endpoint containing Firebase public keys.



A sample application is available. This sample app provides simple login page using firebase-ui to fetch the JWT token.