Sign in Subscribe
Firebase

Using Firebase Auth claims with Swift, Kotlin and JavaScript

Rob Kerr

3 min read

Firebase Authentication supports built-in and custom user claims that allow us to conditionally expose functionality to users based on authorization groups. This post demonstrates the syntax to add custom claims in a Firebase backend, and read claims from mobile apps.

What are Claims?

In identity systems, a "Claim" is is a piece of metadata about a user's identity.  They are a lot like a "Tag", in that claims are usually an array of strings attached to a user's account.  What they mean is up to implementation--they could signal anything.

Usually, though, a claim is used to authorize a user to some specific functionality within the application.  For example, a user claim could be "administrator", and an application could check if a user has the "administrator" claim before allowing that user to access an admin section of a navigation system.

Firebase Claims

Like many identity systems, Firebase has some claims built-in, and allows application developers to add custom claims to the user's identity (i.e. profile). Firebase has a limit of 1000 bytes for custom claim storage, so custom claims isn't intended as a repository for a full user profile -- Firebase Cloud Firestore is a better place to store extensive user metadata.

Claims can be added via the Firebase admin SDK, and can be read by any of the client SDKs. Below are code examples for Swift, Kotlin and JavaScript.

Adding a Custom Claim

How can you add a custom claim that applications or cloud functions can read?  I typically use a Firebase cloud function, which encapsulates this security operation on the backend side, allowing the function to use the Firebase Admin SDK.

// Call this function POST function with payload { email: 'user@company.com'} while signed in to a Firebase Auth account
exports.addSysAdmin = functions.https.onCall(async (data, context) => {
  // Only current administrators can create new administrators
  if (context.auth.token.administrator == false) {
    throw new functions.https.HttpsError('permission-denied', 'Must be an admin to use this endpoint')
  }

  const email = data.email;
  const user = await admin.auth().getUserByEmail(email)

  if (user == null) {
    throw new functions.https.HttpsError('invalid-argument', `No user associated with email ${email}`);
  }

  const customClaims = user.customClaims || {}
  customClaims.administrator = true
  admin.auth().setCustomUserClaims(user.uid, customClaims)

  return {
    success: true,
    claims: customClaims,
    message: null
  } 
})

Using Custom Claims in Applications

Once custom claims have been added to user accounts, applications can easily read claims to check whether users have access to some set of functionality.  Below are examples in Swift, Kotlin and JavaScript. In these examples we use the claim "administrator" to authorize users to some administrator functionality within an application.

Swift

To fetch a user's claims on the client in Swift, the user must first be authenticated.  Once authenticated the claims can be fetched asynchronously.

// Service function
func isUserAdministrator() async -> Result<Bool, String> {
    // Check if the user is authenticated.
    guard let user = Auth.auth().currentUser else {
        return .failure("Not signed in")
    }

    do {
        let tokenResult = try await user.getIDTokenResult()
        let claims = tokenResult.claims
        let isAdmin = claims["administrator"] as? Bool ?? false
        return .success(isAdmin) 
    } catch (let error) {
      return .failure(error.localizedDescription)
    }
}

To call the service function:

switch result {
  let result = await isUserAdministrator()
  
  switch result {
    case .success(let isAdmin):
      print("User is an administrator? \(isAdmin)")
    case .failure(let error):
      print("Error checking claims", error)
  }
}

Kotlin

Kotlin syntax to check the claim is similar:

sealed class Result<out Success, out Failure>
data class Success<out Success>(val value: Success) : Result<Success, Nothing>()
data class Failure<out Failure>(val reason: Failure) : Result<Nothing, Failure>()

suspend fun isUserAdministrator() : Result<Boolean, Exception> {
  return try {
    val currentUser = auth.currentUser ?: throw Exception("Not signed in")

    val tokenResult = currentUser.getIdToken(false).await()
    val claims = tokenResult.claims
    val isAdmin = claims["administrator"] as Boolean? ?: false
    Success(isAdmin)
  } catch (e: Exception) {
    Failure(e)
  }
}

To call the service function:

when (val result = isUserAdministrator()) {
    is Success -> print("User is an administrator? ${result.value}")
    is Failure -> print(result.reason.localizedMessage)
}

JavaScript

To evaluate whether a user calling a Firebase cloud function is an administrator, use the context object. Since this is a backend function, we'll throw an HTTP error if the user isn't authorized.

exports.somePriviligedFunction = functions.https.onCall(async (data, context) => {
  if (context.auth.token.administrator == false) {
    	throw new functions.https.HttpsError('permission-denied', 'Must be an admin to use this endpoint)
  }
  // Continue to execute the functionality protected by the "administrator" claim
}

Sign up for more like this.

Enter your email
Subscribe