PETER FRIESE: Who
are you, and are you
actually who you claim to be?
That's the basic question
every authentication
system needs to answer.
Welcome to another
episode of "Firecasts"
in which we will talk
about authentication
and how to make implementing
sign-in with Apple
easier by using Firebase.
[MUSIC PLAYING]
Knowing who your
users can be more
or less important to your app.
For a camera app that stores
photos in your local camera
roll, probably not
that important.
Storing notes on
a note-taking app
that your users want to
use on their other devices,
definitely useful to have
some sort of identification
so they can sign in
on their other devices
to access their data.
Sharing data between
multiple users
with various levels
of access, you're
going to need a
solid authentication
and authorization
system, for sure.
Implementing authentication
and authorization
has always been a
challenging task,
and it's easy to make mistakes.
Not only that, but
it consumes time
that you'd probably rather
spend on implementing
the key functionality
of your app.
[NOTE SOUNDS]
Thankfully, Firebase provides
a powerful and easy-to-use
authentication solution
that is integrated
with many of Firebase's
other products,
such as the Realtime Database,
Cloud Firestore, Cloud
Functions, and others.
Firebase Authentication
is a drop-in solution
that you can easily integrate
with your iOS, Android, and web
applications.
It supports a number of ways
for users to sign into your app,
such as password authentication,
Facebook login, Google sign-In,
Sign in with Apple, and more.
Thanks to Firebase's support
for Sign In with Apple,
it is now easier than ever to
build iOS applications that
allow their users to sign in
with a simple biometric check,
all without having to
care about passwords.
And thanks to mandatory
two-factor authentication,
this is super secure as well.
[NOTES SOUND]
Today, I want to
show you two ways
to implement Sign In with
Apple using Firebase.
The first one is
super quick, and we'll
get you started in literally
less than five minutes.
The second one is a little
bit more complicated
but provides a lot
more flexibility.
At the end of this
video, I'm going
to show you a
couple of use cases
that you can implement once
your user has signed in.
So make sure to stick
around till the end.
[NOTES PLAY]
Firebase UI is an
open source library
that is available on iOS,
Android, and the web.
It is built by the Firebase team
and addresses many common use
cases that developers encounter.
For example, it simplifies
Firebase authentication
by providing pre-built
UIs for all authentication
providers that are supported
by Firebase authentication.
Thanks to Firebase
UI, you can implement
Sign In with Apple
in just a few steps.
So let's have a look.
To get us started, I've
already created a simple UIKit
application that just
displays a simple button which
says, Log In.
I then created a
Firebase project,
registered my iOS app with it,
downloaded the Google Services
Input [INAUDIBLE]
configuration file,
dragged it into
my Xcode project,
installed the Firebase
SDK using CocoaPods,
and call firebaseapp.configure
in my application target.
No idea what I'm talking about?
Watch this setup video
first, and then come back.
[NOTE SOUNDS]
So when using Firebase UI,
implementing Sign In with Apple
becomes a three-step process.
Step 1.
[NOTES SOUND]
To use Sign In with Apple
in your Firebase project,
you will first need
to activate it.
In the Firebase console
for your project,
enable Sign In with Apple in
the Authentication section.
Back in Xcode, add the Sign
In with Apple capability
on the Capabilities page
in the Target Settings.
And finally, add the Firebase
Authentication SDK to your app
by installing the
Firebase UI pod.
Step 2, in our app, we've got
this nice little button here
on our UI.
We want to trigger
the login process
when the user taps this button.
To do that, let's first
create an action handler
by right-clicking on
the button and dragging
to our ViewController.
Next, we need to instantiate
Firebase UI as a default
authentication UI.
Firebase UI supports
multiple sign-in providers
at the same time, but
we just want to use Sign
in with Apple for now.
So let's create an array
that contains only this one
provider.
We set a delegate
to self, which means
we'll need to implement the
didSignInWith authDataResult
method, which we'll
do in a minute.
Finally, we retrieve
the auth controller
and present it orderly.
Step 3, now let's implement the
didSignInWith authDataResult
callback.
This callback has
two parameters,
one with the result of the
authentication process,
and another one in case
something went wrong.
We can extract the signed-in
user from the auth data result,
and then print their
user ID and other data,
such as the display name
or their email address,
in case they decided to
share this with our app.
You're now ready to
run the application
and sign in with Apple.
Well, this wasn't
too bad after all.
And the great thing
about Firebase UI
is that it makes it
so easy to support
additional authentication
mechanisms.
Adding a new
authentication method
is a matter of
just a few minutes
and requires almost no
coding, as Firebase UI does
all the heavy lifting for you.
Check out the documentation
at this URL to learn more.
[NOTES SOUND]
So at the beginning
of this video,
I promise you to show you
another way to implement Sign
In with Apple, which
begs the question,
why would you even
do this, especially
since Firebase UI makes our
life so much easier already?
Well, firstly,
implementing this yourself
gives you slightly
more flexibility.
Also, it's always
good to understand
how things work under the hood.
Plus, it's a lot of fun.
So let's dive in.
[NOTES SOUND]
So just like for
the first example,
I've created a single
view application
and connected it to the
same Firebase project.
Sign In with Apple is already
enabled for the Firebase
project, so we can
go straight to Xcode
and add the Sign In with
Apple capability to our app.
And finally, install the
Firebase authentication SDK
by adding the Firebase
auth pod to the pod file
and running pod install.
While this is, running
in the background,
we can continue and build a
Sign In screen with the Sign
In with Apple button on it.
To do so, I am going to import
the Authentication Services
module and then instantiate
ASAuthorizationAppleIDButton
as soon as the view appears.
When the user taps
on the Login button,
we want to display a
sign-in screen with the Sign
In With Apple button on it.
So let me quickly
create an Action Handler
for this and a method to
start the sign-in process.
Then, let's connect the
handler method to the button.
With this basic
plumbing in place,
we can now create an
authorization request.
Let's first create
a helper method
to keep our code nice and tidy.
In the method, we first ask the
Apple ID authorization provider
to create a new request for us.
By specifying the email
and full name scopes,
we tell the API that we're
interested in these pieces
of information about the user.
I like to point out that
Apple encourages developers
to limit the scope
as much as possible
in the interest of
the user's privacy.
So keep that in mind when
implementing this in your app.
In the next step,
we will compute
a random string that helps
us to prevent replay attacks.
This random string is also
known as a nonce, which
is short for number used once.
The Firebase documentation
contains an implementation
of a secure nonce generator
which we're going to use.
Now, let's generate the
nonce, compute the hash,
and store it in the
authentication request,
and finally store the raw
nonce in a local variable
so we can retrieve it later.
[NOTE SOUNDS]
To better understand
how the nonce helps
prevent replay
attacks, let's have
a look at this flow diagram.
First, in your app, you create
an AS authorization AppleID
request, which includes the
scopes you're requesting
as well as the hashed nonce.
The app holds onto the
raw nonce in memory
so it can send it to
Firebase in a later step.
This ensures an attacker
cannot get hold of it.
Next, iOS will display
the sign-in dialog
and guide the user
through the login process.
When returning from
the sign-in flow,
Apple will return an AS
authorization Apple ID
credential, which
contains an ID token.
This ID token
represents the user
that has just signed in via
Apple's authentication dialog.
The token contains
an opaque user ID
that Apple uses to identify
the user, as well as the user's
email address and full name
according to the scopes
you requested earlier.
The ID token also
contains the hashed nonce
we sent in the first step.
As the ID token is a
cryptographically-signed
[INAUDIBLE],, we can
verify its integrity.
And this actually
happens in the next step.
So in step 3, we create an OAuth
credential using the ID token
and send it over
to Firebase along
with the original,
un-hashed nonce.
Firebase will then verify the
ID token as well as the nonce.
To verify the nonce,
Firebase hashes the raw nonce
using the same hashing algorithm
we used in the first step
and then compares the
result with the hashed nonce
and the ID token.
If both values
match, all is well,
and we can be sure
that we weren't
victim of a replay attack.
This works because we
use the nonce just once
and create a new nonce for every
new sign-in process we start.
So even if an attacker
was able to capture
the original request,
it would be impossible
for them to unhash
the nonce, as we're
using SHA-256, which is
a one-way function that
is easy to compute
but hard to invert.
Finally, Firebase will
return and AuthResult
which contains the
signed-in Firebase user.
[NOTES SOUND]
Now that we've got
the request, we
can instantiate the
authorization controller,
set the delegate and
presentation context provider
to self, and then kick
off the login process.
Before we can run the
app, we need to stub out
the delegate methods.
It's good practice
to use extensions
to manage delegate
implementations,
so let's introduce
two extensions here,
one for handling the
authentication callbacks,
and the other one for handling
the presentation context.
This lets us specify
which window should host
the authorization controller.
At this point, iOS will display
the Sign In with Apple UI
and work the user through
the process of signing in.
It will show you the
privacy information screen,
ask them whether they are happy
to share their email address
or would rather use an
anonymous one that Apple
manages for them, and then
call back into your code.
[NOTES SOUND]
So far, none of the
code we've written
is specific to Firebase.
In fact, it should be very
similar to Apple example code.
But now, let's switch it up a
gear and connect to Firebase.
To do so, we'll need to turn
the ID token we received
into a Firebase
credential and then ask
Firebase authentication to
sign in with this credential.
[NOTES SOUND]
So here, in the
dldCompleteWithAuthorization
callback, we first extract
the authorization credential
provided by Apple.
Next, we perform a couple
of standard key checks.
For example, we make sure
that the current nonce is set,
because if it's not, we
are in an undefined state.
We then retrieve the ID token
and convert it into a string.
Using the nonce
and the ID token,
we can now ask
the OAuth provider
to mint a credential
representing the user that
has just signed in.
In the next step, we
will use this credential
to sign into Firebase.
Firebase will verify the
credential and, if it is valid,
will sign in the user.
In case this is a
new user, Firebase
will create a new user
account using the information
provided in the ID token.
And the callback, we can now
retrieve the Firebase user
from the Auth result and
display the user's information.
Oh, and in case
you were wondering,
Firebase will persist
the user's credentials
in the iOS key chain
and retrieve them
at application startup.
So if you want to check if the
user has already signed in,
you can use this code snippet
and update your UI accordingly.
[NOTE SOUNDS]
And this concludes
our brief introduction
to implementing Sign In
with Apple using Firebase.
So where do we go from here?
[NOTES SOUND]
Well, first of all, I
would like to encourage
you to implement Sign In with
Apple on all other platforms
your app is available on.
This will ensure your users
can use the same credentials
on all platforms.
This is really
important, as most users
will use your app on
multiple platforms
such as their phone, their
desktop computer, and maybe
a tablet.
The Firebase documentation
contains guides
for implementing Sign
In with Apple on the web
and on Android, so go
and check them out.
[NOTES SOUND]
You should also start looking
into any other authentication
providers that your
users may expect
in your app, such as Google
Sign-In, or a Facebook Login.
One authentication provider
that I find really useful
is Anonymous Authentication.
This lets you create and use a
temporary and anonymous account
to authenticate with Firebase.
This allows users
who haven't yet
signed up to your application
to access data provided
by Firebase security rules.
And once your users decide
to sign up with your app,
it's easier to link
their anonymous account
to an identity provider,
such as Sign In with Apple,
and turn them into
a full account
so they can sign in from
their other devices as well.
[NOTES SOUND]
Finally, and most
importantly, start
implementing functionality using
some of Firebase's back end
services.
For example, you could
use Cloud Functions
to send new users
a welcome message,
or store data in Firebase
Realtime Database or Cloud
Firestore.
Firebase provide
security rules to help
you secure your
application and make
sure users can only access
data and functions they're
allowed to.
Check out Todd's
and Rachel's video
about setting up and testing
security rules to learn more.
And in the sad event
that your users would
like to stop using
your app altogether
and delete their
user account, there
is the Delete User Data
Firebase extension,
which provides an easy way
to clean up after them.
There is much more than we can
cover in this video so go ahead
and check out the Firebase
product overview at this URL.
[NOTE SOUNDS]
And there you have it.
That was an overview of how to
implement Sign in with Apple
using Firebase Authentication.
If you found this video
helpful, don't forget
to hit the Thumbs Up button.
And be sure to tell me which
authentication provider you
want to learn about next
in the comments below
or @peterfriese on Twitter.
See you next time in another
episode of "Firecasts."
[MUSIC PLAYING]
