/firebase-authentication-bundle

A lightweight, self-contained Symfony bundle providing authentication with JWTs generated from Firebase client SDK.

Primary LanguagePHPMIT LicenseMIT

FirebaseAuthenticationBundle

A lightweight, self-contained, zero-dependency, spec-compliant Symfony bundle providing authentication with Firebase JWT out of the box. Works either with short-lived ID tokens and session cookies.

Installation

Install this bundle with Composer:

composer require danieleambrosino/firebase-authentication-bundle

Configuration

Set your Firebase project's ID in an environment variable named FIREBASE_PROJECT_ID:

# .env
FIREBASE_PROJECT_ID=projectid-1a2b3

Add the firebase authenticator to any of your app's firewall:

# config/packages/security.yaml
security:
    firewalls:
        main:
            stateless: true
            firebase: ~

For each firewall you can choose the authentication strategy (default is bearer, see the configuration reference):

  • with the bearer strategy, your requests must be authenticated sending a short-lived ID token (generated by the Auth package of the Firebase client SDK you're using) into an Authorization: Bearer HTTP header (accordingly to the OAuth 2.0 specification);
  • with the cookie strategy, your requests must be authenticated sending a session cookie token, named accordingly to the cookie_name parameter (default is sessionToken).

That's it! The authenticated user will be identified using the claim in the JWT payload specified by the user_identifier parameter (default is sub).

You can require that the email is verified by setting on a per-firewall basis the verify_email boolean parameter. Optionally, you can add a leeway package-level parameter (as a positive integer number of seconds) to account for clock skew with Google's servers.

This bundle also provides a very basic user provider named firebase for basic purposes (e.g. securing the registration route).

Configuration reference

Package-level configuration

# config/packages/firebase_authentication.yaml
firebase_authentication:
    project_id: '%env(string:FIREBASE_PROJECT_ID)%'

    # The leeway to account for clock skew with Google servers
    leeway: 0

    # Used only by the authenticators with "cookie" strategy
    cookie_name: sessionToken

    # The field in the payload used to identify the user
    user_identifier: sub

Firewall-level configuration

# config/packages/security.yaml
security:
    providers:
        # Give the provider any name you want
        # You just have to set the "firebase" field
        jwt: { firebase: ~ }
    firewalls:
        main:
            stateless: true
            firebase:
                strategy: bearer # One of "bearer"; "cookie"
                verify_email: false
            
            # If you want to enable the provider
            jwt: ~