It would be easier to manage user roles using claims if the firebase console had a page that allowed the admin to set claims for individual users. Role-based security is one of the most common tasks that administrators have to deal with and having to write code to support it doesn't make for a great user experience.

Is there a particular reason why managing custom claims is not a feature available in the Firebase Console? It just feels odd having to use the Admin SDK just to be able to do so

I think firebase security is by far the most difficult part about using firebase and Firestore. It’s too bad considering everything else about firebase is such a pleasure to use.

Thanks Jen, you've just confirmed I'm doing this correctly in my app (customer claims applied by a cloud function)! Also great to know the reads from Firestore rules are including in the quotas. I wish I'd had this video 2 months ago, would've made my life a little easier when implementing. Great content and a great product, thanks!

Something I was looking for over an year now! Good Job!

I was developing an app requiring the exact feature in 2017. Was searching internet like a mad man, i couldn't find a thing. At the end i thought it must be something to do with the server side rules, but i couldn't just figure it out That app went to stub that time due to various other reasons, but i guess i will visit it again :) Thankyou for such an awesome explaination!!

This is very awesome! Can't wait to use Custom Claims another reason why I love Firebase!

This video is 2 years old but this helps me a lot .... Thank you....

It's nice to see that this feature is getting more attention

Each and every word Jen(pardon if i got her name wrong) said is useful for understanding custom claims.

Ok... First, thanks a lot for the video. Custom claims will surely prove to be useful in many cases. But I have some question to get some clarifications on the concept: 1- If a user has logged in and you add/remove a custom claim they won't have it on their claim until the next time the token is issued. 2- Each client SDK has a method to "refresh" the firebase token, this can be used wherever appropriate. Questions for 1 & 2: Does refreshing a token(2) has the same effect as re-issuing the token(1)? Looking at your annotation sequence I get the impression that it has the same effect. 3- Firestore, real-time database and cloud storage update permissions based on changes to users' uid, not the refresh token. Even if you refresh the token, security rules will not reflect changes in access. User needs to sign out and sign in again so that firebase products look at the permissions of the latest token. Question for 3: Are the custom claims cached somewhere on these products and these claims are only fetched whenever a user logouts and logs back in? In this case, the only proper way to securely reflect the changes in the claims is to kick the user out, correct? By updating "permissions" you mean "custom claims" right? When I refresh a token, I get the new claims on the client but I can't reflect the changes on the server side for firebase, firestore, storage. This implies custom claim records are not read from the place they are stored by these products, instead they are cached somewhere and this cache needs to be updated by a sign-out, right? This part is a little foggy as far as this video is concerned. Cheers

Thanks for this video, I've been doing things wrong this whole time

I think firebase authentication itself could be more... customizable and user-friendly, allowing developers to add custom user profile properties and set different user groups more easily, without setting up an additional collection for users in Firestore or asking for help from Admin SDK.

Really useful and well expained

We have other solutions for stuff like this.. But this just saved us of writing & planning tons of code! Thanks!!

Love this video 🔥

This firecast was so frickin useful!

Thank you , great information and video

Great video!!! Awesome Firebase!!!!!!

The video i have been expecting ❤️

This is súper useful, thanks.

wonderful, just what I need

It'd be nice if I could view and edit claims from Firebase Console. Having a Cloud Function is great, but when developing, it's much easier to test using the Firebase Console then configure in a function once I have a good understanding of how I might use claims, how I'd define roles, etc.

Thanks there.

The code provided requires one to already have a Custom Claim role to add a Custom Claim role... nice.

It's amazing!

great thank you

so you can set and update a custom claim, but how do you remove/delete it? you never discussed revoking permissions!

I love your voice, very good tutorial thanks

Merci Pam Beesly !

Is there an updated version of this guide anywhere? I'm assuming a lot has changed in 4+ years.

Will this be a good option to check if the user is accessing the database from App and not accessing it directly, so that I can write security rules to allow access only from the App?

"Relying solely on client-side use of custom claims is not secure" Noted.

Great video, thanks a lot. Can we use this feature to allow a user to have 2 separate accounts with different roles using her/his same Email & mobile phone number in the 2 accounts while differentiate them using another attribute like user type: e.g. Seller or Buyer?

Failed to resolve: firebase-auth-15.0.0 Open File

How could I structure my Rules in a given situation: I have registered users under a USER ref that has "Display_name, email, age, has_Paid". He has read & write permissions to his User node. BUT has_paid should only be allowed to be edited by my Firebase CloudFunctions Script. He should not be able to write or edit "has_paid".... how to do this?

This is very good stuff. I use React Loadable to conditionally load restricted app logic. It would be so great if there was a way in firebase hosting to apply security rules to individual named chunks of app code.

Is there a way to create an admin panel in Firebase for a React Native app? If there is, how would I go about creating it?

Amazing video! , but I don't understand why it's still not possible to view and update custom claims from the firebase admin panel, it'll totally make sense #AskFirebase

Why are there no Firebase Docs in Typescript ? How do I refer my Typescript codes? :(

Damn that's really cool. Too bad I just hear about it now :'D

Could you explain in more detail what makes it a "bad experience" for end users if developers add a bunch of claims to their auth token? Would the example you showed with address and a few other details really impact the delivery speed in any noticeable way?

Hy.. i have a problem in my firebase databaae.. when wifi disconnect firbaae also diaconnect and not connect even after wifi on. Can u help me?

Wait, i'm not sure if I understood the last point correctly, but if e.g. Firestore permission are updated only when the user logs in and out again, couldn't this be used maliciously? For example, if a moderator at the example page now edits movies with wrong intentions and get's his role revoked(so he get's the claim removed), then it's on the client side to log him out, so that the permissions actually change?? Isn't this very insecure, as e.g. the moderator could just delete the code to be logged out and still have all the write access?

Greetings, please could you be so amble to make a video. Where certain roles are allowed to do a number of writes per month

#AskFirebase Hi Jen, w.r.t custom claims, the security rule at the server side relies on claim value that is sent by the client as opposed to the model of the server verifying the claim made by the client for every request. And as a counter measure, we do the token refresh at the client side when the claim value changes or wait for an hour. This looks ok on an assumption that the token available with the client SDKs cannot be compromised. But does this model guarantee security.? Thanks for your time!

where/ what files do we put those rules in?

The complexity of the security roles is the biggest disadvantage of firebase, but it is learnable. Other hand it would be nice if we can be able to control the response fields. In case of if i'm a moderator, than i want to see the costumer's billing data, but I don't want to make it visible for the non moderator users. It is not so a security role, its more than an response modifier.

I have a simple case, that in my firebase database I have 100 messages come from 5 different users, only the user who wrote the message will be able to delete it, and other 4 only can read it. I use firebase, can you give me some hint how to do it ? I read document many times only some basic stuff. auth != nil which is not enough, and firebase keeps warning me. please help , thanks.

How would you go about groups? User is admin of one group and a member of another. So you could have 100+ groups. User might be part of 20 of them.

Hey folks, I was having trouble finding the links that Jen mentioned in this video, they weren't included in the Description. For anyone else that's looking for them, here's a Medium post that Jen provided with the exact links. medium.com/google-developers/controlling-data-access-using-firebase-auth-custom-claims-88b3c2c9352a

How does the very first moderator aquire the `moderator` role?? how to "seed" user in the auth that have pre-installed `moderator` custom claim?

sorry for this stupid question, but how do you call that grantModeratorRole from the client (in my case I am using flutter) when it is not a callable function? should I write another callable function? I am a total noob on cloud functions..

Hi Jen, great video! What is implied by a secure environment? If I intend to host the code on Firebase hosting, is that secure? Thanks.

The fireflicks repository is not working and there are no other codelab or reference to use custom claims 😕 (while npm installation it gives errors)

Codelab is missing and I don't know why they didn't show how to setup the Admin SDK as part of this....

how do i call the grand operator function in react

Maybe I didn't understood something but when we only allow admins to promote users to admins, how do I get the first user to become an admin? As far as I know there is no way to give custom claims to a user from the console...

In the past, I have used firebase.auth in the web client and once a user creates another user, I link certain security logic: Once the user has been created I send an email to verify your email with the function user.sendEmailVerification (). As the user was created by another user, I assign a default password and use the sendPasswordResetEmail () function so that the user registers his new password. That has worked well for me so far, but now for many reasons I need to move that logic to my server, for that I'm developing a backend with cloud functions and I'm using the Node.js Firebase Admin SDK version 6.4.0, but I can not find a way to use the functions of user.sendEmailVerification() and sendPasswordResetEmail() to implement the same logic on the server, the closest thing I found was: auth.generateEmailVerificationLink (email) auth.generatePasswordResetLink (email) But it only generates a link for each one, which by the way the only emailVerification() serves me, the one from generatePasswordReset always tells me: Try resetting your password again Your request to reset your password has expired or the link has already been used. Even though be a new link, and it has not been used. My 3 questions would be: How can I make the sendEmailVerification () and sendPasswordResetEmail () functions work on the server? How can I make the link generated with auth.generatePasswordResetLink (email) work correctly on the server? Is there any way to use templates and emails on the server that are in firebase auth? #AskFirebase Thank you in advance for sharing your experience with me, with all the programmers' community of firebase.

The Codelab link is broken, anybody knows where I can find it?

I was wondering it would be advised to change custom claims based on some context (i.e. they are on a certain document or collection )? This would be for cases where one could be a moderator for certain chat rooms but not all chat rooms ( it gets more tricky if moderator is not a statically defined ) What I was thinking would map to something like this: - When a person enters a room (room 101) then it will automatically update all it's claims on "room actions" it can perform i.e. { canBootUserFromRoom101 : true, canReadMessagesForRoom101 : true } - If the person leaves the room and enters another room then it will update claims again so that it can do things like i.e. { canBootUserFromRoom102 : false, canWriteMessagesToRoom102 : true } etc. The biggest reason for this is if there is something shared link between FireStore and Storage ( like room images / videos ) the rule under Storage can not access things in FireStore.

Nice explanation, unfortunately this doesn't solve the problem of allowing a non-technical admin(with no knowledge of firebase rules) set and update rules for different users. This will make more sense if there is a way to update the rules with a friendly UI for a non-technical admin.

07:03 am I understanding correctly that the test/ decision if im allowed to add a moderator is again IN THE FRONTEND ? Everything that is decided in the frontend can be hacked ????

Suggestion.. use a type of Email not a string... just helps with readability. export type Email = string;

Is there any alternative for custom claims?

Thats great and seems quite simple! I will defenitly check that out. However one question: Is it possible for someone to "fake" an auth token? This way someone could fake being an admin and promote his real account to an admin...

Can we changes id tokens dynamically for like social network where access to user database changes based on the users friendship status.....

Noobish question here: since firebase is considered 'server-less'. meaning that it could practically work without developing a separate back-end server as Firebase could directly work within the mobile app code for example. Is it viable to set custom claims within the code of the mobile app as it is considered server-less ?

How about setting up the first admin in the custom claim? I mean If i need to be admin to setup first admin how can i setup the first one? (I mean I could disable the app and do it first without the onCall security check but is there another solutions ?) Also please when making this kind of course, why always showing firestore code? I mean there also RTDB user, please add both codes.

How do you do 5:47 - 5:51 ???????????????

Wait, am I supposed to Use Firebase Security Rules? 10:55 Will do! :P

Hi, I have a query. I would like to create a model in which, A school will have multiple teachers and those teachers will have multiple students and students will have multiple courses details. What will be the optimized model for this scenario for cost efficient firebase CRUD. Thanks in advance, really need solution for that.

how to solve this type ofauth problam ( implementation 'com.google.firebase:firebase-auth:16.0.1:15.0.0' )

Can custom claim be other that boolean ? for Example: allow read, write: if(request.auth.token.level < 11); anybody...

AUUUUGGHHHHH! USE FIREBASE SECURITY RULES!

❤️ RBG! 😎

@AskFirebase Logical OR in queries and GEO queries when?

Is it possible to add console control to Firebase security for easier control, and developer can check exactly which collection of user has access authority to any data on console #AskFirebase

As always firebase, this is a great video. I have a requirement where i would like a user role/firebase custom claim to be set at the time of registration, this will depend on the client app the user is registered on, e.g in the teachers app i would like all the registered users though this app to have the teacher role/claim and likewise in the students app all users to have the student role/claim. what would be the best approach to do this?

RBG Rocks!!

thanks, AAUUUUGGGHHH!!!!!!!!

Can I set object to key like {"moderator": {rank: 3}}

Is there one for android?

first thank you for this video , how can implement that with dart

Is this project is outdated? Will it work at firebase v9?

pueden realizar un ejemplo con unity

@5:41 since JS on client side, isn't that risky! anyone could manipulate the DOM and send whatever custom claims they want!!

Why not using the same parameter names for all the architectures? Why should I memories the name on swift & android & web!!!!!

If I'm gonna have to write code for this why am I not just writing my own Node Express backend.

I like firebase a lot. It has majored a lot over the last two years, most things are well documented, and you get an overall coherent experience as a developer. However, what's still way to time consuming and to tricky to scale are security rules. This area is lacking behind all other areas in terms of usability and the ability to scale a codebase. Maybe some kind of metalanguage is needed so to create an abstraction that can bring more speed and better scalability...

I am not able to get started with firebase storage, it is failing to create initial default bucket it is saying some unknown error, and refresh it and try again.

This all seems so hackish tho... Why not just return a token which I can save in the localstorage and verify by firebase on every route... Could be so easy and serverless.

👍🏻

I have an Admin authentication problem Any One From Firebase Team has Solution i want to make App for Admin And Client how to do this thing in flutter Anyone Know How to Do this things...

FIREBASE!!!!!

who was able to actually implement this

This is so hard to understand...

Kotlin??

Hi i would like to ask if it is possible to add custom Claims like that: { roles:["ROLE_A","ROLE_B"] } And at the same time write correct realtime databse security rules like : ".read": "auth.token.roles.contains('ROLE_A') Thanks if someone will answer

Has this changed? It used to work 3 years ago but now it doesn't ?? I have assigned an admin but request.auth.token.admin == true gives me Insufficient permission error