Search
Menu
Search
/
Sign in

Connect WorkOS Single Sign-On to Firebase

Add Single Sign-On (SSO) for all Identity Providers to your Firebase services with a single integration.

IntroductionLink

Single Sign-On is a frequent request from enterprise customers, and is not natively supported by Firebase. However, Firebase does natively support custom authentication flows using third-party authentication. This means that by adding a simple exchange of “tokens” to your business logic, you can use WorkOS SSO to access all of your Firebase resources.

What you’ll buildLink

A microservice that uses WorkOS SSO to authenticate your users for Firebase.

Before getting startedLink

To get the most out of this guide, you should:

1. Let’s start by setting up a microservice in your app.Link

You can set up your token exchange wherever your WorkOS /auth and /callback logic is defined. Here is an example of the simplest version:

  • Node.jsNode.js
  • GoGo
  • PythonPython

Callback Endpoint

Switch
Copy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
const express = require("express");
const WorkOS = require("@workos-inc/node").default;

const app = express();
const port = process.env.SERVER_PORT;

/* WorkOS Logic */
const workos = new WorkOS(process.env.WORKOS_API_KEY);
const clientID = process.env.WORKOS_CLIENT_ID;
const domain = process.env.DOMAIN;
/* Your redirectURI should be your client */
const redirectURI = process.env.REDIRECT_URI;

app.get("/auth", (_req, res) => {
  const authorizationURL = workos.sso.getAuthorizationURL({
    clientID,
    domain,
    redirectURI,
  });
  res.redirect(authorizationURL);
});

app.get("/callback", async (req, res) => {
  const { code } = req.query;
  const { profile } = await workos.sso.getProfileAndToken({
    code,
    clientID,
  });
  res.redirect('/');
});

/* Start or export app */

2. Add the Firebase Admin SDK to your app.Link

Add the “firebase-admin” SDK to your project dependencies and import it into the module where you have defined your WorkOS integration logic. You will now use the results of your successful /callback GET request to generate a custom token in Firebase that you can then send to your client.

First, install the Firebase Admin SDK in the project directory:

Install Firebase Admin SDK

Switch
Copy
1
npm install firebase-admin 

Second, initialize your Firebase admin app. The simplest configuration will look like this:

Initialize Firebase Admin App

Switch
Copy
1
2
3
4
5
6
7
8
const express = require('express');
const WorkOS = require('@workos-inc/node').default;
const admin = require('firebase-admin');

...

/* Firebase logic */
const firebaseApp = admin.initializeApp();

3. Create a custom token via Firebase admin and send it to your Firebase clientLink

The logic for creating and sending a custom token to your client should live within your /callback logic, and will use the result of the getProfile method in the WorkOS API.

You will be using the .createCustomToken(uid) method from the Firebase Admin SDK, and we will be passing the user’s profile ID from our getProfile method in /callback.

Create Custom Token

Switch
Copy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
app.get('/callback', async (req, res) => {
    const { code } = req.query;
  
    const profile = await workos.sso.getProfileAndToken({
      code,
      clientID,
    });
  
    try {
      const firebaseToken = await firebaseApp
        .auth()
        .createCustomToken(profile.id);
      res.send(firebaseToken);
    } catch (err) {
      console.log(err.message);
      res.status(500).send('Error minting token.');
    }
  });

4. Authenticate your users on the frontend with your custom tokenLink

Now that you’ve exchanged tokens, you can use the the Firebase SDK on your frontend to authenticate your users. For example, in JavaScript:

Client-side Token

Copy
1
await firebase.auth().signInWithCustomToken($firebaseToken);

You should now be able to use your Firebase integrations and resources without interruption.