(NextJS) Help connecting Auth0 users to Firebase Auth in order to facilitate Security Rules

Please include the following information in your post:

  • Which SDK this is regarding: e.g. ‘@auth0/nextjs-auth0’
  • SDK Version: ^1.7.0
  • Platform Version: Node 8.1.2
  • Code Snippets/Error Messages/Supporting Details/Screenshots:

Hi! Thanks in advance,

I’m working on a NextJS app that uses Auth0, and Firebase (Firestore) on the backend. I mistakenly assumed I could write Firestore Security Rules relying on users’ Auth0 tokens, but it seems that I am required to use Firebase Auth in order to do so. With this issue in mind, I’m considering a few paths forward to enable Firebase Auth in addition to my existing Auth0 integration:

  1. I could use an Action (or a rule/hook) that triggers on Login and Logout to immediately log the user in or out of Firebase Auth as well. It does feel inefficient to fully integrate two separate auth solutions… I use Auth0’s JWT already within the app, but I need to use a Firebase Auth JWT to secure the database. I apologize if this is a naive question, but can a client have two different JWT’s at the same time?

  2. I think this solution seems more logical: I could (somehow) generate a Firebase Auth token from my Auth0 JWT, but I seem to not be able to execute express/middleware in a NextJS application. I did find the following code snippet on these forums, but I’m not quite sure where I would implement this function in my code, and how I would get the new token back to the client. I’m just a hobbyist, so my knowledge of the inner workings of auth is limited – hence my turn to Auth0 for the drop-in solution! Would it be enough to add a similar function to my Action that executes on Login? Could my client access both their Auth0 token as well as their new Firebase custom token?

app.get('/auth/firebase', jwtCheck, (req, res) => {
    // Create UID from authenticated Auth0 user
    const uid = req.user.sub;
    // Mint token using Firebase Admin SDK
    firebaseAdmin.auth().createCustomToken(uid)
      .then(customToken => 
        // Response must be an object or Firebase errors
        res.json({firebaseToken: customToken})
      )
      .catch(err => 
        res.status(500).send({
          message: 'Something went wrong acquiring a Firebase token.',
          error: err
        })
      );
  });
  1. I could forego Auth0 entirely, and rewrite the app using only Firebase Auth.

Do any of these methods, or some yet-unseen alternative path, sound viable? If so, I’d love to discuss how best to proceed. I’m really excited to find a way to get Firebase Auth working so I can ship my app with Security Rules. Thank you!