/api-gateway-firebase-auth

Custom authorizer for AWS API Gateway that verifies client authorization tokens generated by Google Firebase

Primary LanguageJavaScriptMIT LicenseMIT

api-gateway-firebase-auth

Custom (Lambda) authorizer for AWS API Gateway that verifies client authorization tokens generated by Google Firebase.

Prerequisites

The following resources are required for using the custom authorizer:

  1. A project using the following AWS resources - API Gateway, Lambda
  2. Deployment to AWS using the Serverless framework
  3. An IAM user and user profile for your AWS serverless project deployment
  4. A Firebase project for authenticating users

Required files

Two local files need created that contain client secrets. These files are not included in the repository and must NOT be added/committed to the repository.

  • An environment.json file that contains information specific to your AWS serverless environment and Firebase project. The file, at a minimum requires the following:
{
  "AWS_PROFILE": "<your_aws_serverless_deployment_profile>",
  "AWS_REGION": "<your_aws_serverless_deployment_region>",
  "FIREBASE_DATABASE_URL": "<your_firebase_database_URL>"
}
  • A serviceAccountKey.json file that has the service account keys from your Google Firebase project to initialize the firebase-admin SDK. More information about getting the keys and initializing the SDK can be found in the official Firebase documentation

Serverless deployment

If you want a different name for your custom authorizer, change the name in the service property at the top of the serverless.yml file.

To deploy the custom authorizer to AWS, use the serverless deploy command, which assumes you have installed the npm serverless package, preferably globally.

$ serverless deploy

API Gateway configuration

Configure the API Gateway using the serverless.yml file for your API Lambda function (NOT the custom authorizer serverless.yml in this repository).

First, get the ARN name for the custom authorizer from the AWS Lambda console. It is available in the upper right corner of the configuration page for the custom authorizer.

Second, add the following like to any path/method where validation of authorization tokens is required:

authorizer: <your_custom_authorizer_ARN>

More information about setting up a custom authorizer is available in the serverless documentation

Remember to redploy your API Lambda function after adding the authorizer property to add the authorization properties to the API Gateway.

Special thanks to the serverless team for putting together the example that was used as the basis for this custom authorizer.

Additional Information

For additional information and background on why I wrote this custom authorizer, as well as additional links and information, please refer to this article on my blog.

Constributions

Contributions, ideas, and bug reports are welcome. Please add issues for suggestions and bug reports, or create a pull request.