Firebase Fundamentals Auth Q&A
Transcript from the "Auth Q&A" Lesson
>> I got a question about anonymous auth and kind of, so my understanding, really with apps in the Apple ecosystem, right? Usually you have to, one of the requirements I believe is-
>> The app has to work without signing in, right?
>> So they don't just download an app and then it does nothing, right?
[00:00:18] So yeah, what's that look like, I guess, anonymous login and then to iCloud or Google?
>> Yeah, no, you're 100% right, this is actually one of my favorite features of anonymous auth. And I did a talk in the past on this one. So let's say you have an iOS app and we also have a feature called Dynamic Links that allow you to link out to deep link someone into an app.
[00:00:40] So if someone's like check out this recipe in your recipe app and they tap on it. No one likes tapping the link and then it pops up and it's like login, and you're like I just wanted to read the recipe. So what you can do is you can do a deep link.
[00:00:54] And then instead of logging in, you can say this user doesn't have an account, let's log them in anonymously. And so they get access to these pages and everything, but they're not a long term user of this application. And then if they're clicking around and they're like, I wish I could save recipes, I wish I could do that.
[00:01:13] You can say, great, upgrade to full account with us, and then you do the account linking. So it does allow you to write your whole app as if it is only allows for authentication. But when someone comes in who you want to use as a guest or just not have to create a profile, anonymous auth is the way to go.
[00:01:33] And then any state that they save, they can still persist that UID onto a full time account. So it's a really nice upgrade and without having to put a big wall in front of them. So yeah, you're 100% right. All right, your question.
>> Yeah, to implement a custom auth provider is there any specification you have to follow or is it OAuth or can you say more about that?
>> Yeah, so like custom auth involved some server code, cuz we have to connect out to your server. It's the most involved, I would say, of all the setups. But basically we need to know some things about how to make sure that when users are coming in from your back-end that were minting, we're able to verify and mint things properly.
[00:02:16] But then at that point, they are using Firebase Authentication, but they're still a part of your account system. We're just using them as a token generator, basically, so you can be secure with other Firebase services, which we're about to dive into.
>> So would you send like an email and password to our token service, get token back, similarly?
>> Depending on how your auth system works. So your auth system very well could be an email and password-based one, you'll have to create sort of like a custom credential. But you also could have a OAuth system that could be, or also we supply a lot of OAuth providers, but we don't provide many more.
[00:02:59] And so I don't think you can log in with Instagram or LinkedIn, I don't believe those are there. But in those cases you can use custom auth to log in with those. And so custom auth's very flexible. So it depends on what provider you're using, however it goes.
[00:03:17] Yeah, you just kinda link it up together, it's kind of hard to say off the top of my head, it's kind of this mult-step process. But it's not too intensive and there's a ton of documentation on how to do it. All right.
>> I liked your comment about custom auth versus going all in, I don't know if you can talk to that-
>> Yeah, so someone asked when you would do something like Firebase Authentication or when you should do your own. I would just always say that authentication is very important, it's super important to get right. So no matter what you do, you just go all in on whatever approach you want to do.
[00:03:51] So if you want to use something like a third party tool, like Firebase Authentication to manage your users, that's great. We care deeply about security and all the tooling we have around that. But if you do your own, then also do the same, care deeply about it and do that.
[00:04:09] Just I would say that don't go into the mindset of your app saying like, well, let's kinda start rolling our own authentication. And then if it doesn't go well, then maybe we'll go use a provider. That ends up being more trouble than it's worth. So I find that you either feel really good and secure about your own solution or you go into a solution that is tried and true.