Connect WorkOS Single Sign-On to Firebase
Add Single Sign-On (SSO) for all Identity Providers to your Firebase services with a single integration.
Introduction
Single Sign-On is a frequent request from enterprise customers, and is not natively supported by Firebase. However, Firebase does natively support custom authentication flows using third-party authentication. This means that by adding a simple exchange of “tokens” to your business logic, you can use WorkOS SSO to access all of your Firebase resources.
Before getting started
To get the most out of this guide, you should:
- Make sure you have added at least one SSO connection with a supported IdP in your WorkOS dashboard. account.
- Make sure you have a Firebase app. Depending on your configuration, you may need your serviceAccountID, which you can find on your Google Cloud console or in the client_email field of your downloaded Firebase JSON file.
- Make sure you are developing in Node, Go, Python, or .NET. (These are the current overlapping languages both WorkOS and the Firebase Admin SDK currently support.)
1. Let’s start by setting up a microservice in your app.
You can set up your token exchange wherever your WorkOS /auth and /callback logic is defined. Here is an example of the simplest version:
Node.js
Go
Python
Callback Endpoint
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
const express = require("express"); const WorkOS = require("@workos-inc/node").default; const app = express(); const port = process.env.SERVER_PORT; /* WorkOS Logic */ const workos = new WorkOS(process.env.WORKOS_API_KEY); const clientID = process.env.WORKOS_CLIENT_ID; const domain = process.env.DOMAIN; /* Your redirectURI should be your client */ const redirectURI = process.env.REDIRECT_URI; app.get("/auth", (_req, res) => { const authorizationURL = workos.sso.getAuthorizationURL({ clientID, domain, redirectURI, }); res.redirect(authorizationURL); }); app.get("/callback", async (req, res) => { const { code } = req.query; const profile = await workos.sso.getProfile({ code, clientID, }); res.redirect('/'); }); /* Start or export app */
2. Add the Firebase Admin SDK to your app.
Add the “firebase-admin” SDK to your project dependencies and import it into the module where you have defined your WorkOS integration logic. You will now use the results of your successful /callback GET request to generate a custom token in Firebase that you can then send to your client.
First, install the Firebase Admin SDK in the project directory:
Install Firebase Admin SDK
1
npm install firebase-admin
Second, initialize your Firebase admin app. The simplest configuration will look like this:
Initialize Firebase Admin App
1 2 3 4 5 6 7 8
const express = require("express"); const WorkOS = require("@workos-inc/node").default; const admin = require("firebase-admin"); ... /* Firebase logic */ const firebaseApp = admin.initializeApp();
3. Create a custom token via Firebase admin and send it to your Firebase client
The logic for creating and sending a custom token to your client should live within your /callback logic, and will use the result of the getProfile method in the WorkOS API.
You will be using the .createCustomToken(uid) method from the Firebase Admin SDK, and we will be passing the user’s profile ID from our getProfile method in /callback.
Create Custom Token
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
app.get("/callback", async (req, res) => { const { code } = req.query; const profile = await workos.sso.getProfile({ code, clientID, }); try { const firebaseToken = await firebaseApp .auth() .createCustomToken(profile.id); res.send(firebaseToken); } catch (err) { console.log(err.message); res.status(500).send("Error minting token."); } });
4. Authenticate your users on the frontend with your custom token
Now that you’ve exchanged tokens, you can use the the Firebase SDK on your frontend to authenticate your users. For example, in JavaScript:
Client-side Token
1
await firebase.auth().signInWithCustomToken($firebaseToken);
You should now be able to use your Firebase integrations and resources without interruption.