I’ve created a custom PHP API that at the moment is only hosted on my local machine as there is no authentication required to access it.
My front end is built in react with firebase as the user authentication system.
My question is, once a user has successfully logged in, how do I then enable my application to access my php API? Ideally I’m thinking that I would need the client to send a token that could be validated by the php API. Does that mean I should generate a jwt associated with a firebase user that can then be validated by my php API by cross-matching it with firebase on the backend?
I just want to check my thinking on this is correct or if there is another way anyone thinks might be more appropriate?
Advertisement
Answer
If you want to authorize your users to call your custom PHP API based on their identity in Firebase Authentication, you’ll indeed need to:
- Get the ID token for the user on the client.
- Pass that token from the client to the server, over a secure connection.
- Verify the ID token’s validity in your PHP code.
- Determine whether the user in the ID token is authorized to perform the operation.
The entire process is pretty well described in Firebase’s documentation on verifying ID tokens.