SSO with Firebase

are you using cookie-parser?

1 Like

Using Redirects instead of Cookies

Hey yall, thanks for all the guidance, I got stuck with the cookie approach because my server is on a different domain and safari is at war with third party cookies. I’ve written up a stack overflow Q&A with a redirect approach, happy authenticating! :stuck_out_tongue_closed_eyes:

Just to say that I’d be very intersted too to have an easy integration of firebase authentification into discourse.

Hmm, what is the purpose of doing this exactly? Are you not using firebase authentication elsewhere in a webapp apart from discourse? I am and don’t want to mess with that setting, I would prefer it as “local” (Authentication State Persistence  |  Firebase)

Just some notes for others that go down this path:

  • call your cookie “__session” if you use firebase hosting. The rewrite rules filter out all other cookies for caching purposes.
  • you want to replace the relevant code above with something like this so that you don’t allow unvalidated emails (big security risk).
      auth
        .verifyIdToken(idToken)
        .then(function (decodedClaims) {
          // In this case, we are enforcing that the user signed in in the last 5 minutes.
          // and they have a verified email
          if (
            decodedClaims.email_verified &&
            new Date().getTime() / 1000 - decodedClaims.auth_time < 5 * 60
          ) {
            return auth.createSessionCookie(idToken, { expiresIn });
          }
          throw new Error("UNAUTHORIZED REQUEST!");
        })
  • there is a “logout redirect” setting in discourse. You probably want to use this to hit a URL that clears the __session cookie (can only be done via a backend api call) so the user isn’t automatically logged in as the same user as before when they try to login again.
1 Like

Where can you implement this code?