Password-based sign-in remains a popular means of user authentication despite its weaknesses. For example, users frequently forget their passwords, requiring a password reset flow that can create friction for returning users; databases of passwords are routinely shared between bad actors; and, users often reuse insecure passwords across sites, which makes the problem of stolen passwords even worse. On the other hand, the password model of authentication is familiar to users and users expect to see it. For this reason, it's understandable that many developers want to implement some form of password-based sign-in in their apps.
Firebase and Google Cloud Identity Platform provide libraries to make password sign-in easy to implement for your users, but it's important to consider these authentication best practices to enable more secure sign-ins.
Before you launch your app, you should add additional restrictions to your API keys to limit the access they grant. Here are some steps you can take:
Visit our Applying API key restrictions documentation to learn more.
One way to improve security for users who sign in with passwords Is to use password management tools:
If your app deals with sensitive information, the industry best practice, and our recommendation, is to require MFA for user sign-in. This is especially important if your app deals with information such as financial data or medical records. You can add a second factor to most of Firebase Authentication’s sign-in methods, including email address and password, with Google Cloud Identity Platform. To get started, enable Identity Platform in your project, then add MFA to your apps (iOS, Android, Web). Your existing Firebase Authentication code will continue to work after you enable Identity Platform.
If you’re not using MFA, other strong options for user authentication with Firebase are to use one of the social sign-in providers supported by Firebase Authentication such as Google, Facebook, and Apple, or to use email link sign in.
To serve users who don't have or use email addresses, Firebase and Google Cloud Identity Platform provide phone authentication services. This is the best solution for many user bases, but it has its own security caveats: possession of a phone number can be easily transferred between users, and, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device's phone number. (See the docs for iOS, Android, Web, Unity, C++.)
We recognize the ubiquity of the password model and we will continue working to improve the security of password based sign-in.
Over the past few months, we’ve seen that apps not only improve the way we live, they also enhance our ability to adapt to change. In 2020, more businesses and families have turned to apps to stay connected, productive, and entertained. At the same time, our developer community has stepped up to build and scale the apps people are relying on. Our team, alongside the rest of Google, has strived to be supportive in this moment. Our mission is to help you succeed by making it easy to build and operate apps.
Last year, we shared that 2 million apps actively use Firebase every month. Now, that number has grown to over 2.5 million monthly active apps, which includes global businesses like Gameloft and Alibaba, as well as innovative startups like Classkick. Classkick is a full-spectrum learning platform with a backend powered by our Realtime Database and supported by Google Cloud. When the COVID-19 pandemic forced schools to close, Classkick onboarded thousands of teachers and school administrators to their platform. With Firebase, they were able to scale to meet this new demand so students could continue to learn effectively from home and stay engaged with their teachers and classmates.
Classkick is helping students learn effectively from home
Classkick is just one example from our incredible community of how apps are helping people adapt to their new surroundings. It’s stories like these that inspire us to keep making Firebase better. Every year at Firebase Summit, we share updates on how we can help you accelerate app development, run your app efficiently, and tailor Firebase to suit your needs. Read on to learn what’s new at our digital Firebase Summit 2020, and view the sessions and resources on our summit website.
We’re continuing to invest in tools that speed up your app development so you can deliver value to your users in less time.
Introducing the Authentication emulator for rapid iteration and local development
Last year, we launched the Firebase Emulator Suite to let you run emulated versions of our backend products for a faster and safer development experience. A few months ago, we introduced you to the local emulator UI, which makes it possible to run services locally via a web app with a distinguishable UI, and comes with features like advanced data editing and searching. The Emulator Suite supports Hosting, Realtime Database, Firestore, Cloud Functions, and Cloud Pub/Sub - and now, we’ve added support for Firebase Authentication.
The Emulator Suite now includes support for Authentication
This means you can test the entire user management process - from user creation to Function trigger to sending updates to Firestore, and even fuzzy log searches to debug interactions between the emulators and your application - on your local machine. You can also use the new auth emulator to run integration tests that rely on authentication. The Emulator Suite, now with Firebase Authentication, allows you to shift to a local-first developer workflow so you can experiment and rapidly iterate without touching production data, incurring costs, or worrying that you’ll break something. Check out our documentation to get started.
New Hosting preview channels let you see changes before publishing
Web development can be cumbersome and complicated. With Firebase Hosting, you can deploy secure, fast-loading web apps and landing pages that are backed by a global CDN in less time, and with less hassle. Recently, we added new features that many of you have been asking for, including an integration with Cloud Logging to give you more server-side analytics, support for Brotli compression to boost your site performance, and improved support for localized content.
Our latest update to Firebase Hosting, preview channels, lets you see your changes before publishing them to your site. Now, you can deploy changes to a preview channel in seconds with a single command and generate an obscured unique URL to share with your team. Preview channels not only let you check that your changes look as intended right away, they also make collaboration quicker and easier even if you’re working across a distributed team. Try them out today!
Hosting’s new preview channels let you see changes before publishing
More Extensions for adding features and functionality
At last year’s Firebase Summit, we launched Firebase Extensions; pre-packaged solutions that automate common tasks in your projects and let you add new functionality in fewer steps. Since then, we’ve partnered with Stripe to release the Send Invoices using Stripe and the Run Subscription Payments with Stripe extensions. These extensions let you integrate the Stripe payments platform with Firebase without requiring you to learn Stripe’s API.
Today, we’re sharing a preview of another extension through our Alpha Program, called Detect Online Presence. Detect Online Presence shows you which users or devices are currently online and stores that data in Cloud Firestore. If you’re developing a game or a social app, you can use this extension to let your users know when their friends are online for a friendly match or chat. Join our Alpha Program to try it out!
Detect Online Presence is our newest Firebase Extension, available in Alpha
In addition to accelerating app development, Firebase provides actionable data so you can optimize your app - and ultimately, keep users happy.
Redesigned Performance Monitoring dashboard to help you focus on critical metrics
Any time you release a new version of your app, it’s important to pay attention to stability and performance metrics to ensure your users have a fast, high-quality experience. Firebase Performance Monitoring gathers and presents data about your app’s performance to show you exactly what’s happening in your app - and when users are encountering slowness. But sometimes, there’s so much information, it can be hard to focus on what’s important.
To help you hone in on key insights, we’re excited to unveil the redesigned Performance Monitoring dashboard. This new dashboard makes it crystal clear if one of your critical metrics needs attention so that you can take action, and it’s customizable, allowing you to bring the metrics you care about most to the forefront. We’ve made this dashboard available to everyone - just head on over to the console and add the metrics that matter to you.
The redesigned Performance Monitoring dashboard brings critical metrics to the forefront
New organizational and targeting tools for Remote Config
As people start using your app, you’ll want to delight them with new features, promotions, and personalization so they stick around. With Firebase Remote Config, you can dynamically alter your app, safely test and release new features, and stay in control of the whole experience - without having to publish a new version. However, as your project gets bigger, it might become hard to maintain and navigate through your app config. Over the past few months, we’ve added new features to help you better organize, visualize, and target your parameters so you can manage your app config more efficiently.
First, we added information about experiments into the Remote Config dashboard and launched parameter groups. Then, we made it possible to sort parameters alphabetically and enhanced the search tool. On top of that, we improved version targeting by making it available for iOS and adding support for semantic versioning, so you can use numeric operators like “>=” to target specific app versions without resorting to complicated regular expressions.
Improved version targeting in Remote Config
Most recently, we launched config metrics to give you more visibility into how your app configuration is behaving for users so you can find and fix incorrect configurations quickly. These config metrics include realtime fetch requests, which allow you to monitor rollouts of a new set of values, and fetch percentages, which show you the distribution of parameter values across users. For example, when you see a smaller fetch percentage for a condition than expected, it signals that the wrong users may be exposed to the intended values.
Real-time config metrics for Remote Config
When your app and business grow, your development challenges may become more complex. We’re working to give you automation capabilities, such as Crashlytics BigQuery streaming, and more control and flexibility so you can adapt Firebase to fit your sophisticated needs.
New Google Analytics APIs for better data management
One of the key factors in scaling a successful app is knowing how your users are interacting with it. Our robust integration with Google Analytics helps you understand what actions users are taking inside your app, where they're spending their time, and why they churn -- so you can make smarter decisions. Last year, we announced a significant new upgrade in Google Analytics that gave you a single view of customer engagement across both native apps and web-powered ones. Since then, we’ve added new features like the setDefaultEventParameters and powerful new ecommerce measurement, which you can read about in this blog post.
Today, we're excited to announce three new APIs that give you more control so you can collect, record, and manage your data in a way that suits your growing business. The first one, the Google Analytics 4 Measurement Protocol, lets you log events directly to Google Analytics. This is especially useful for developers who want to augment their client-side data with server-to-server calls to gain new insights. For those of you who want to create your own custom dashboards, the Data API, which is the second new API, gives you programmatic access to your Google Analytics reporting data. Finally, the Admin API gives you the ability to configure your Analytics account and set user permissions.
Google Analytics 4 Measurement Protocol lets you log events directly to Google Analytics
Introducing imported segments for increased targeting flexibility
Over the years, we’ve seen many of you take advantage of our BigQuery integration by exporting data from Firebase, joining it with data from other channels, running sophisticated analysis - and even creating your own custom user segments in BigQuery. Now, we’re giving you the power to bring these custom segments back from BigQuery into Firebase with the launch of imported segments! This means you can target any custom segment with products like Remote Config, Cloud Messaging, and In-App Messaging. For example, if you have an ecommerce app and a physical storefront, you can import data from offline sources - like your store - and send those users an in-app promotion with In-App Messaging.
This feature is available through Firebase's BigQuery integration. To get started, simply create your custom segment and import it into your BigQuery dataset. Then, Firebase will be able to read that data and make those segments available for targeting. We built imported segments to give you more control and flexibility to target your users.
New imported segments let you bring custom segments from BigQuery into Firebase
With these improvements to Firebase, we aim to make app development faster and easier so you can stay focused on creating the amazing app experiences that people need to stay productive, connected, and entertained. People are relying on your apps to adapt and thrive in our changing world. You can rely on us to build, operate, and scale successful apps - in 2020 and beyond.
For more resources and content from Firebase Summit 2020, be sure to check out our summit website, and if you’d like a sneak peek of what’s coming next, join our Alpha program.
Most apps that you build with Firebase’s backend services, such as Realtime Database, Cloud Firestore, and Cloud Storage, need some way to sign users in: among other things, this lets you provide a consistent experience across sessions and devices, and lets you set user-specific permissions. Firebase Authentication helps you meet this requirement by providing libraries and services that you can use to quickly build a new sign-in system for your app.
But what if your organization already uses a service such as Okta to handle user identity? With Firebase Custom Authentication, you can use any user identity service (including Okta) to authenticate with Firebase, and this post will show you how.
You’ll learn how to build a Firebase and Okta integration, which will have two components:
By the way, this approach can also be used with some modification for other identity services, such as Auth0, Azure Active Directory, or your own custom system.
Ready to get started? Great! But, before you write any code, you’ll need to set up your Okta and Firebase projects.
First, set up an Okta project on the Okta Developer site:
Set the Base URIs and Login redirect URIs to the location where you plan to host your web frontend (http://localhost:5000 if you’re using the Firebase Hosting emulator) and enable the Authorization Code grant type.
http://localhost:5000
When you’re done, take note of the app's Client ID for later.
Then, set up a Firebase project in the Firebase console:
If you plan to eventually host your web app with Firebase, you can automatically set up Firebase Hosting and simplify configuration by enabling Also set up Firebase Hosting for this app.
Finally, if you plan to deploy your token exchange endpoint as a Cloud Function:
Now that your projects are set up, you’ll write the crucial piece: the token exchange endpoint.
The job of the token exchange endpoint is to take a user’s Okta access token and, if it’s valid, produce a Firebase custom authentication token that represents the same user.
This endpoint needs to be able to verify the authenticity of the Okta access token. To accomplish this, use the Express.js middleware provided in Okta’s developer documentation (reproduced below, with minor modifications):
const OKTA_ORG_URL = // Your Okta org URL const OktaJwtVerifier = require('@okta/jwt-verifier'); const oktaJwtVerifier = new OktaJwtVerifier({ issuer: `${OKTA_ORG_URL}/oauth2/default` }); // Middleware to authenticate requests with an Okta access token. const oktaAuth = async (req, res, next) => { const authHeader = req.headers.authorization || ''; const match = authHeader.match(/Bearer (.+)/); if (!match) { res.status(401); return next('Unauthorized'); } const accessToken = match[1]; try { const jwt = await oktaJwtVerifier.verifyAccessToken( accessToken, 'api://default'); req.jwt = jwt; return next(); // Pass the request on to the main route. } catch (err) { console.log(err.message); res.status(401); return next('Unauthorized'); } }
Any endpoint protected by this middleware will require a valid Okta access token in the Authorization header. If the token is valid, it will insert the decoded token into the request before passing the request along by calling next().
Authorization
next()
Now, you can write the token exchange endpoint:
const express = require('express'); const app = express(); const cors = require('cors')({origin: 'https://YOUR_DOMAIN'}); const firebaseAdmin = require('firebase-admin'); const firebaseApp = firebaseAdmin.initializeApp(); // Get a Firebase custom auth token for the authenticated Okta user. // This endpoint uses the `oktaAuth` middleware defined above to // ensure requests have a valid Okta access token. app.get('/firebaseCustomToken', [cors, oktaAuth], async (req, res) => { const oktaUid = req.jwt.claims.uid; try { const firebaseToken = await firebaseApp.auth().createCustomToken(oktaUid); res.send(firebaseToken); } catch (err) { console.log(err.message); res.status(500).send('Error minting token.'); } });
This endpoint uses the Firebase Admin SDK to mint a Firebase custom authentication token using the user’s Okta UID. When you sign a user in with this token for the first time (on the frontend), Firebase Authentication will add a user record with the same UID to your project.
This process of using an Okta access token to acquire a Firebase custom token is the key idea behind integrating Okta and Firebase. But, let’s go one step further and write a simple web frontend to demonstrate the use of the endpoint.
The demo frontend is a plain HTML and JavaScript web app that uses the Firebase Authentication Web SDK and Okta’s sign-in widget library.
Start with two containers: one for authenticated user content and one for Okta’s sign-in widget:
<div id="authenticated-user-content" hidden> <h2>Authenticated with Firebase</h2> <p id="user-info"></p> <button onclick="firebase.auth().signOut();">Sign out</button> </div> <div id="signin-widget" hidden></div>
Set up a Firebase authentication state listener that shows some user profile information to signed-in users and Okta’s sign-in widget to signed-out users:
const oktaSignIn = new OktaSignIn({ baseUrl: OKTA_ORG_URL, redirectUri: window.location.url, authParams: { display: 'page', }, el: '#signin-widget', }); firebase.auth().onAuthStateChanged((user) => { if (user) { // User is signed in. Display some user profile information. document.getElementById('user-info').innerHTML = `Hi, ${user.displayName}! Your email address is ${user.email} and your UID is ${user.uid}.`; document.getElementById('authenticated-user-content').hidden = false; document.getElementById('signin-widget').hidden = true; } else { // User is signed out. Display the Okta sign-in widget. oktaSignIn.showSignInToGetTokens({ clientId: OKTA_CLIENT_ID, redirectUri: window.location.url, getAccessToken: true, getIdToken: true, scope: 'openid profile email', }); document.getElementById('authenticated-user-content').hidden = true; document.getElementById('signin-widget').hidden = false; } });
When a user signs in with Okta’s widget, their browser briefly redirects to Okta’s authorization server, and then, assuming the user signed in successfully, redirects back to your app with the response.
Use Okta’s sign-in library to get the Okta access token from the response and use the access token to get a Firebase custom token from your token exchange endpoint:
if (oktaSignIn.hasTokensInUrl()) { // Get the access token from Okta. const oktaTokenResponse = await oktaSignIn.authClient.token.parseFromUrl(); const accessToken = oktaTokenResponse.tokens.accessToken.value; // Use the access token to call the firebaseCustomToken endpoint. const firebaseTokenResponse = await fetch(CUSTOM_TOKEN_ENDPOINT, { headers: { 'Authorization': `Bearer ${accessToken}`, } }); const firebaseToken = await firebaseTokenResponse.text(); // (Continued below.) }
And finally, authenticate with Firebase using the custom token:
// (Continued from above.) try { await firebase.auth().signInWithCustomToken(firebaseToken); } catch (err) { console.error('Error signing in with custom token.'); }
When the call to signInWithCustomToken() completes, the auth state listener will detect the change and display the user’s profile information.
signInWithCustomToken()
At this point, the user is authenticated with Firebase and you can use any of Firebase’s authentication-enabled services, such as Realtime Database, Cloud Firestore, and Cloud Storage. See the Security Rules documentation for more information on granting resource access to authenticated users.
For the complete demo app and backend that the code snippets above came from, see the Authenticate with Firebase using Okta sample on GitHub.
Our team is driven by the belief that apps have drastically improved the way we live, work, learn, and socialize, keeping us connected to each other and plugged into the information we need. Now more than ever, we understand the importance of supporting our developer community by ensuring you have the technology and resources you need to keep your business up and running. Whether you’re a high-growth startup or a global enterprise, we’re still here to help you build and operate your app.