As per documentation I've seen, it appears it's not recommended to authenticate API calls coming from a mobile, using a user idToken. For such cases, accessToken is more suitable.
(Source : ID Tokens should never be used to obtain direct access to APIs )
However, in my architecture, I have:
Database
Firebase to authenticate users
Mobile App
And sets of Cloud Functions, which act as my API
So I'm ok to do on the front/mobile side:
Using the refreshToken to generate an accessToken (from firebase auth)
Call the Cloud Functions using this accessToken
However, I do not find anything, to validate the accessToken server side (I only find how to validate idToken ).
How is it supposed to work in an ideal world?
Thanks
Using idToken to authenticate my users (mobile App) on my API, but I would like to follow all best practices.
As per documentation I've seen, it appears it's not recommended to authenticate API calls coming from a mobile, using a user idToken.
When you're using Firebase Authentication, you aren't using those so-called "access tokens". Firebase doesn't have such a concept. You are just using "ID tokens" which are needed so the calls that you perform can be verified on the Firebase backend. For more info, please check the link below"