Docs Menu
Docs Home
/ /
Atlas App Services
/ /

Firebase JWT Authentication (Custom JWT)

On this page

  • Before You Begin
  • Configure the Custom JWT authentication provider
  • Log in with a Firebase JWT

You can configure the Custom JWT authentication provider to authenticate users that you manage with Firebase Authentication.

You will need the following to use Firebase Authentication:

  • A Firebase project with Authentication configured. To learn more, refer to the Firebase Authentication documentation.

  • An App Services App that does not already use Custom JWT authentication. To learn how to create a new App Services App, see Create an App.

  • If you're using the command line interface, you need App Services CLI to be installed and authenticated on your local system.

  • If you're using the Admin API, you need a MongoDB Atlas Admin API public/private key pair. The API key must have Project Owner permissions.

You can configure Custom JWT authentication from the UI or by modifying the underlying configuration files directly with the CLI or Admin API. Choose your preferred method below.

In the left navigation menu, click Authentication. Then click the Authentication Providers tab and select the Custom JWT provider.

Now you can configure the Custom JWT authentication provider to work with your Firebase project.

  1. Click the toggle to enable the provider.

  2. Set Verification Method to Use a JWK URI. Specify the following URL for JWK URI:

    https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com
  3. Define Metadata Fields to map data from the Firebase JWT to the corresponding App Services user account.

    None of the metadata fields are required. However, you might find them useful for getting user information from the Firebase JWT into your App.

    The following is a mapping from the Firebase JWT to an App Services user. You can add these to the table in the UI as they are or modify the mapping as you wish following the Metadata Fields documentation.

    Path
    Field Name
    firebase.identities.email
    emails
    firebase.sign_in_provider
    signInProvider
    user_id
    userId
    email_verified
    emailVerified
    email
    email
  4. Set Audience to your Firebase Project ID.

    Important

    You must set Audience to Firebase Project ID

    You must set Audience to use your Firebase Project ID as a Custom JWT provider even though it's labeled as optional in the UI.

  5. Click Save and deploy your changes

Run the following command, replacing the value of --remote with your App's Client App ID. This downloads a local copy of your App's latest configuration files and navigates to the configuration file directory, which uses the same name as your App.

appservices pull --remote "myapp-abcde"
cd myapp

Add a new Custom JWT authentication provider to your App's /auth/providers.json file. Use the following configuration as a template, replacing the audience value with your Firebase Project ID. You can use the provided metadata_fields as they are or modify the mapping as you wish following the Metadata Fields documentation.

/auth/providers.json
{
"custom-token": {
"name": "custom-token",
"type": "custom-token",
"disabled": false,
"config": {
"audience": ["<Your Firebase Project ID>"],
"jwkURI": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com",
"useJWKURI": true
},
"secret_config": {
"signingKeys": []
},
"metadata_fields": [
{
"required": false,
"name": "firebase.identities.email",
"field_name": "emails"
},
{
"required": false,
"name": "firebase.sign_in_provider",
"field_name": "signInProvider"
},
{
"required": false,
"name": "user_id",
"field_name": "userId"
},
{
"required": false,
"name": "email_verified",
"field_name": "emailVerified"
},
{
"required": false,
"name": "email",
"field_name": "email"
}
]
}
}

Save your changes to /auth/providers.json. Then, push the updated configuration file to deploy your App:

appservices push

Add a new Custom JWT authentication provider to your App using the Create an authentication provider endpoint.

Use the following configuration as a template. Make sure to:

  • Specify your App's $PROJECT_ID and $APP_ID

  • Include an Admin API access token in the Authorization header.

  • Replace the audience value in the request body with your Firebase Project ID.

You can use the provided metadata_fields as they are or modify the mapping as you wish following the Metadata Fields documentation.

curl "https://services.cloud.mongodb.com/api/admin/v3.0/groups/$PROJECT_ID/apps/$APP_ID/auth_providers" \
-X "POST" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "custom-token",
"type": "custom-token",
"disabled": false,
"config": {
"audience": ["<Your Firebase Project ID>"],
"jwkURI": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com",
"useJWKURI": true
},
"secret_config": {
"signingKeys": []
},
"metadata_fields": [
{
"required": false,
"name": "firebase.identities.email",
"field_name": "emails"
},
{
"required": false,
"name": "firebase.sign_in_provider",
"field_name": "signInProvider"
},
{
"required": false,
"name": "user_id",
"field_name": "userId"
},
{
"required": false,
"name": "email_verified",
"field_name": "emailVerified"
},
{
"required": false,
"name": "email",
"field_name": "email"
}
]
}'

Once you've configured the Custom JWT authentication provider to use Firebase Authentication, you can log in to your App Services App with a Firebase JWT.

  1. Log the user into Firebase. To learn how, see the relevant Firebase SDK documentation for your platform and programming language.

  2. Get the user's Firebase JWT. To learn how, see Retrieve ID tokens on clients in the Firebase documentation.

  3. Use the Firebase JWT to authenticate with Atlas App Services. You can start a session over HTTP or log in with an SDK. To learn how, see the docs for your SDK:

Back

Custom JWT