Firebase JWT Authentication (Custom JWT)
On this page
You can configure the Custom JWT authentication provider to authenticate users that you manage with Firebase Authentication.
Before You Begin
You will need the following to use Firebase Authentication:
A Firebase project with Authentication configured. To learn more, refer to the Firebase Authentication documentation.
An App Services App that does not already use Custom JWT authentication. To learn how to create a new App Services App, see Create an App.
If you're using the command line interface, you need App Services CLI to be installed and authenticated on your local system.
If you're using the Admin API, you need a MongoDB Atlas Admin API public/private key pair. The API key must have Project Owner permissions.
Configure the Custom JWT authentication provider
You can configure Custom JWT authentication from the UI or by modifying the underlying configuration files directly with the CLI or Admin API. Choose your preferred method below.
In the left navigation menu, click Authentication. Then click the Authentication Providers tab and select the Custom JWT provider.
Now you can configure the Custom JWT authentication provider to work with your Firebase project.
Click the toggle to enable the provider.
Set Verification Method to Use a JWK URI. Specify the following URL for JWK URI:
https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com Define Metadata Fields to map data from the Firebase JWT to the corresponding App Services user account.
None of the metadata fields are required. However, you might find them useful for getting user information from the Firebase JWT into your App.
The following is a mapping from the Firebase JWT to an App Services user. You can add these to the table in the UI as they are or modify the mapping as you wish following the Metadata Fields documentation.
PathField Namefirebase.identities.emailemailsfirebase.sign_in_providersignInProvideruser_iduserIdemail_verifiedemailVerifiedemailemailSet Audience to your Firebase Project ID.
Important
You must set Audience to Firebase Project ID
You must set Audience to use your Firebase Project ID as a Custom JWT provider even though it's labeled as optional in the UI.
Click Save and deploy your changes
Run the following command, replacing the value of --remote
with your App's Client App ID. This downloads a local copy of your
App's latest configuration files and navigates to the
configuration file directory, which uses the same name as your
App.
appservices pull --remote "myapp-abcde" cd myapp
Add a new Custom JWT authentication provider to your App's
/auth/providers.json file. Use the following configuration as
a template, replacing the audience value with your Firebase
Project ID. You can use the provided metadata_fields as they
are or modify the mapping as you wish following the Metadata
Fields documentation.
{ "custom-token": { "name": "custom-token", "type": "custom-token", "disabled": false, "config": { "audience": ["<Your Firebase Project ID>"], "jwkURI": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com", "useJWKURI": true }, "secret_config": { "signingKeys": [] }, "metadata_fields": [ { "required": false, "name": "firebase.identities.email", "field_name": "emails" }, { "required": false, "name": "firebase.sign_in_provider", "field_name": "signInProvider" }, { "required": false, "name": "user_id", "field_name": "userId" }, { "required": false, "name": "email_verified", "field_name": "emailVerified" }, { "required": false, "name": "email", "field_name": "email" } ] } }
Save your changes to /auth/providers.json. Then, push the
updated configuration file to deploy your App:
appservices push
Add a new Custom JWT authentication provider to your App using the Create an authentication provider endpoint.
Use the following configuration as a template. Make sure to:
Specify your App's
$PROJECT_IDand$APP_IDInclude an Admin API access token in the
Authorizationheader.Replace the
audiencevalue in the request body with your Firebase Project ID.
You can use the provided metadata_fields as they are or
modify the mapping as you wish following the Metadata
Fields documentation.
curl "https://services.cloud.mongodb.com/api/admin/v3.0/groups/$PROJECT_ID/apps/$APP_ID/auth_providers" \ -X "POST" \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "name": "custom-token", "type": "custom-token", "disabled": false, "config": { "audience": ["<Your Firebase Project ID>"], "jwkURI": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com", "useJWKURI": true }, "secret_config": { "signingKeys": [] }, "metadata_fields": [ { "required": false, "name": "firebase.identities.email", "field_name": "emails" }, { "required": false, "name": "firebase.sign_in_provider", "field_name": "signInProvider" }, { "required": false, "name": "user_id", "field_name": "userId" }, { "required": false, "name": "email_verified", "field_name": "emailVerified" }, { "required": false, "name": "email", "field_name": "email" } ] }'
Log in with a Firebase JWT
Once you've configured the Custom JWT authentication provider to use Firebase Authentication, you can log in to your App Services App with a Firebase JWT.
Log the user into Firebase. To learn how, see the relevant Firebase SDK documentation for your platform and programming language.
Get the user's Firebase JWT. To learn how, see Retrieve ID tokens on clients in the Firebase documentation.
Use the Firebase JWT to authenticate with Atlas App Services. You can start a session over HTTP or log in with an SDK. To learn how, see the docs for your SDK: