Controlling Data Access Using Firebase Auth Custom Claims (Firecasts)

preview_player
Показать описание
The Firebase Admin SDK supports defining custom attributes on user accounts. This provides the ability to implement various access control strategies, including role-based access control, in Firebase apps. These custom attributes can give users different levels of access (roles), which are enforced in an application's security rules. In this episode of Firecasts, Jen Person gives us an overview of custom auth claims, how they are useful, and what you can do with them! If you want to create a custom user experience for different kinds of users, then follow along in this episode of Firecasts!

Links:

  1. Firebase
  2. Firebase
  3. Firebase Auth
  4. Firebase Auth Custom Claims
  5. Cloud Functions Firebase
  6. Firebase Admin SDK
Рекомендации по теме
Controlling Data Access 0:13:12

Controlling Data Access Using Firebase Auth Custom Claims (Firecasts)

How to Connect 0:05:53

How to Connect Firebase Users to their Data - 3 Methods

Role-Based User Permissions 0:07:52

Role-Based User Permissions in Firebase

Role based user 0:05:44

Role based user Authentication in Firebase security

Control Devices Anywhere 0:10:39

Control Devices Anywhere 🌍 with Google Firebase & ESP32 ✅

Firebase Database Rules 0:05:12

Firebase Database Rules Tutorial

Model Relational Data 0:09:13

Model Relational Data in Firestore NoSQL

Firebase Realtime Database 0:04:36

Firebase Realtime Database Rules

React Native Expo 0:08:31

React Native Expo #17: Async Storage with Firebase Auth in React Native Expo 2024

Introduction to Firebase 0:07:07

Introduction to Firebase Security Rules - Firecasts

Intermediate topics in 0:29:37

Intermediate topics in Firebase Security Rules - Firecasts

💥 Implementing Role 0:11:36

💥 Implementing Role Based Access Control RBAC with Firestore Security Rules

Secure Data Access 0:24:58

Secure Data Access with Firebase rules in .NET Maui | dotNet

Your guide to 0:14:06

Your guide to server side authentication with Firebase

Role-Based Authorization with 0:10:33

Role-Based Authorization with Firestore

Custom Claims: The 0:03:59

Custom Claims: The hidden Firebase feature

Five tips to 0:25:12

Five tips to secure your app (Firebase Summit 2018)

Security Rules! 🔑 0:22:39

Security Rules! 🔑 | Get to know Cloud Firestore #6

How to Structure 0:13:57

How to Structure Your Data | Get to know Cloud Firestore #5

Choosing between databases, 0:10:01

Choosing between databases, clearing persistence cache, & FCM data! #AskFirebase

Serverless security modeling 0:21:26

Serverless security modeling in Firebase

Firebase Auth Tutorial 0:12:54

Firebase Auth Tutorial #15- Firestore Users Collection

firebase rules tutorial 0:03:49

firebase rules tutorial || Rajjan sharma

Send Sensor data 0:08:09

Send Sensor data to Firebase using ESP32 | Cloud setup | Arduino Coding | Firebase Realtime Database

Комментарии
Автор

It would be easier to manage user roles using claims if the firebase console had a page that allowed the admin to set claims for individual users. Role-based security is one of the most common tasks that administrators have to deal with and having to write code to support it doesn't make for a great user experience.

phidias
Автор

Is there a particular reason why managing custom claims is not a feature available in the Firebase Console? It just feels odd having to use the Admin SDK just to be able to do so

bustamantedev
Автор

I think firebase security is by far the most difficult part about using firebase and Firestore. It’s too bad considering everything else about firebase is such a pleasure to use.

BSON
Автор

Ok... First, thanks a lot for the video. Custom claims will surely prove to be useful in many cases. But I have some question to get some clarifications on the concept:

1- If a user has logged in and you add/remove a custom claim they won't have it on their claim until the next time the token is issued.


2- Each client SDK has a method to "refresh" the firebase token, this can be used wherever appropriate.


Questions for 1 & 2: Does refreshing a token(2) has the same effect as re-issuing the token(1)? Looking at your annotation sequence I get the impression that it has the same effect.


3- Firestore, real-time database and cloud storage update permissions based on changes to users' uid, not the refresh token. Even if you refresh the token, security rules will not reflect changes in access. User needs to sign out and sign in again so that firebase products look at the permissions of the latest token.


Question for 3: Are the custom claims cached somewhere on these products and these claims are only fetched whenever a user logouts and logs back in? In this case, the only proper way to securely reflect the changes in the claims is to kick the user out, correct? By updating "permissions" you mean "custom claims" right? When I refresh a token, I get the new claims on the client but I can't reflect the changes on the server side for firebase, firestore, storage. This implies custom claim records are not read from the place they are stored by these products, instead they are cached somewhere and this cache needs to be updated by a sign-out, right? This part is a little foggy as far as this video is concerned.

Cheers

_sr
Автор

I think firebase authentication itself could be more... customizable and user-friendly, allowing developers to add custom user profile properties and set different user groups more easily, without setting up an additional collection for users in Firestore or asking for help from Admin SDK.

Jonathanwh
Автор

It's nice to see that this feature is getting more attention

dilass
Автор

This video is 2 years old but this helps me a lot ....
Thank you....

CSClass
Автор

I was developing an app requiring the exact feature in 2017. Was searching internet like a mad man, i couldn't find a thing. At the end i thought it must be something to do with the server side rules, but i couldn't just figure it out
That app went to stub that time due to various other reasons, but i guess i will visit it again :)
Thankyou for such an awesome explaination!!

anshsachdeva
Автор

Thanks Jen, you've just confirmed I'm doing this correctly in my app (customer claims applied by a cloud function)! Also great to know the reads from Firestore rules are including in the quotas. I wish I'd had this video 2 months ago, would've made my life a little easier when implementing. Great content and a great product, thanks!

MarkValenzia
Автор

Each and every word Jen(pardon if i got her name wrong) said is useful for understanding custom claims.

WhatIsThisAllAbout
Автор

Something I was looking for over an year now! Good Job!

AmanVishnani
Автор

"Relying solely on client-side use of custom claims is not secure"
Noted.

WhatIsThisAllAbout
Автор

Is there an updated version of this guide anywhere? I'm assuming a lot has changed in 4+ years.

wuji
Автор

It'd be nice if I could view and edit claims from Firebase Console. Having a Cloud Function is great, but when developing, it's much easier to test using the Firebase Console then configure in a function once I have a good understanding of how I might use claims, how I'd define roles, etc.

Saturn
Автор

This is very awesome! Can't wait to use Custom Claims another reason why I love Firebase!

MrAlexdunlop
Автор

Thanks for this video, I've been doing things wrong this whole time

msjahun
Автор

so you can set and update a custom claim, but how do you remove/delete it? you never discussed revoking permissions!

digimbyte
Автор

really useful/helpful for my blog app... thank you :)

HemitPatel-sf
Автор

Amazing video!, but I don't understand why it's still not possible to view and update custom claims from the firebase admin panel, it'll totally make sense #AskFirebase

ThatGuyAnonymous
Автор

We have other solutions for stuff like this.. But this just saved us of writing & planning tons of code! Thanks!!

lgopt