How can Firebase Auth users sign in to Budibase?

Question

We are developing an internal app using Budibase, that interacts with a REST API that expects a Firebase Authentication token in the authorization header. Budibase allows us to set this header for each API call, but our problem is that there is no built in way to sign in using Firebase Auth.

The options that we do have are Google or OpenID Connect. My question is therefore: Can we use Firebase Auth as an OIDC provider? (Not as an OIDC Client like is possible with Identity Platform).

As far as I know, the answer to the above question is no. We have therefore investigated whether we can create our own OIDC provider to bridge the gap between Firebase and Budibase using oidc-provider in Node.js. That does however seem like a very complicated solution, since it appears like oidc-provider implements a lot of OIDC features that we don't need.

Is there a simpler (without affecting the security of course) way to create a provider if we reduce the amount of features available? For example, we only need to support a single client (which can be hard coded / set by environment variables).

Answer 1

Yes, You can use Firebase Auth as an OIDC provider

Here are the simple steps

1. Enable Identity Platform in Firebase Console

Firebase Console Select your project Navigate to "Authentication" and then "Sign-in method, Enable the "Identity Platform" option

2. Set Up OIDC Configuration

Firebase Console Select your project Navigate to "Authentication" and then "Sign-in method Authorized domains Under the "Sign-in providers" section, enable "Google" as a sign-in method

3. Obtain ID Tokens

When a user signs in using Firebase Authentication, you can obtain the ID token from Firebase. The ID token can be included in the authorization header of your REST API requests.

Read this doc

Answer 2

You can try creating a custom OIDC (OpenID Connect) provider using oidc-provider but need to configure it as per your needs.

install the required library - npm install oidc-provider express body-parser

After installation, setup configuration file -

module.exports = {
  clients: [
    {
      client_id: 'your_client_id',
      client_secret: 'your_client_secret',
      grant_types: ['your_authorization_code'],
      redirect_uris: ['https://your-budibase-app.com/cb'],
    },
  ],
  // these settings are good to go by default
  features: {
    devInteractions: { enabled: false },
    introspection: { enabled: false },
    revocation: { enabled: false },
  },
  formats: {
    AccessToken: 'jwt',
  },
  formats: {
    AccessToken: 'jwt',
  },
  formats: {
    AccessToken: 'jwt',
  },
  formats: {
    AccessToken: 'jwt',
  },
  // add more as the way you want
};

Now, create your server or the provider using the above config -

const express = require('express');
const { Provider } = require('oidc-provider');
const bodyParser = require('body-parser');
const config = require('./config');

const app = express();

app.use(bodyParser.urlencoded({ extended: false }));

const clients = config.clients.map((client) => ({
  ...client,
  client_id_issued_at: Math.floor(Date.now() / 1000),
  client_secret_expires_at: 0,
}));

const oidc = new Provider('http://localhost:3000', {
  clients,
  features: config.features,
  formats: config.formats,
  // add other configs if needed
});

oidc.listen(3000, () => {
  console.log('OIDC provider listening on port 3000');
});

run your provider or server - node server.js

Pls note that If you have properly configured the Budibase to use the OIDC provider endpoints for authentication you must also ensure that your Budibase app is set up to use the correct client ID, secret, and redirect URIs.

if all goes good, Budibase should be able to obtain ID tokens from the OIDC provider, and you can use the ID token as a Firebase Authentication token for your REST API.

Pls note - you can opt for Auth0 and Okta instead of custom OIDC Provider as it introduces overhead of complexity for infrastructure and and small misconfiguration can lead to very bad experience and vulnerablilities.

Let me know if that works.