I am creating an Android native app and I am using Firebase Auth with multiple auth provides such as; Email, Facebook, Google etc, I will use the Firebase SDK for chat and real-time DB.

I have a RESTful API with a MySQL (similar to Facebook with; friends, private and public posts), a user database behind a PHP server and I would like to synchronize the Auth so that I can ensure that the user is correct and has a authority to access data for which they have permissions. I am able to edit and change my database so I can adapt it to suggestions here.

(I originally thought I might need something like OAuth however I no longer think that is necessary)

After much research, I think that I need to securely communicate the users email and the Firebase Auth token to the MySQL whilst keeping details in sync? It seems like this would be something that would be quite common but I haven't been able to find a definitive answer.

(If the above statement is true)

My questions are:

• Is the email and Auth token all that is required to Auth a user via the server
• Should the Auth token get sent to Firebase SDK using the PHP SDK
• How should credentials be stored in the MySQL DB with regards to security
• How does the Auth token expire and/or become refreshed
• How should information be sent securely from the Android client to the MySQL database
• What is the correct procedure and strategy for updating Auth tokens
• What is the correct sync strategy for Auth details, such as email address and tokens between client and server
• Am I even on the right track :)

I'm new to most Auth concepts.

Best regards

1. Is the email and Auth token all that is required to Auth a user via the server: you just need the Auth ID token. You can get the email from that. You need to verify the ID token each time it is sent to your server. Check https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library

2. Should the Auth token get sent to Firebase SDK using the PHP SDK: It is the other way round. The ID token is on the client side, you call getIdToken and then send it to your backend server.

3. How should credentials be stored in the MySQL DB with regards to security: You don't need to store credentials in your DB. you can store session information, but the credentials are generated and refreshed on the client.

4. How does the Auth token expire and/or become refreshed: Calling user.getIdToken will always return a fresh token. If the token is not expired, the cached one is returned. If expired, it will be refreshed and new one returned. You will need to call this each time you an authenticated user is sending some request.
5. How should information be sent securely from the Android client to the MySQL database: You should always send it with the user's ID token. Make sure you use https protocol. Always verify the ID token on your server.
6. What is the correct procedure and strategy for updating Auth tokens: use user.getIdToken()
7. What is the correct sync strategy for Auth details, such as email address and tokens between client and server: Tokens don't need to be stored on your server. You can trust the email in the token. It is possible a user's email is updated on the client side. When that happens, the token email should be updated too.