Loading...
Skip to main content

Authentication

Authentication is handled by Firebase Auth. We use the Firebase SDK to log the user in, via one of the supported providers. At this time we have only enabled the Microsoft/Azure provider, and the Email+Password provider.

Providers

Microsoft/Azure

This allows the tenant to integrate with their existing Azure AD, and use their existing accounts to log in. This is the recommended approach for most tenants.

To set up this provider, you need to add an app registration to Azure for your company, and add the auth callback URL to the app registration. The auth callback URL is https://<tenant>.app.jobmgr.net/__/auth/handler.

Email+Password

This allows the tenant to create a new account, and log in with that account. This is the recommended approach for tenants who do not have an existing Azure AD, or who do not want to integrate with their existing Azure AD.

Notes for 3rd party providers

All 3rd party providers (eg Microsoft) require registering an auth callback. Because we use redirection when signing in (to allow the app to work in kiosk-mode web browsers which disallow popups), we need to make sure the callback url is on the same domain as the app. This is because modern browsers are phasing out support for third-party cookies, which are an issue if the callback domain is different from the app domain.

To fix this, we have added a proxy to the loadbalancer, which will forward requests to the auth callback url to the app. This means that the auth callback url can be on the same domain as the app, but still be handled by the app. This setting is found in the Google Cloud Load Balancer under job-manager --> host and path rules --> *.app.jobmgr.net --> /__/auth/

Before using this solution, we had a custom domain auth.jobmgr.net in place that pointed to the firebase auth endpoint. This solved the problem of needing a separate firewall rule for ".firebaseapp.com" domains that would otherwise be the default. However we now no longer actually need auth.jobmgr.net (I don't think) because we are transparently proxying all auth paths through our app domain.

For more information see: https://firebase.google.com/docs/auth/web/redirect-best-practices#proxy-requests

Configuration

Configuration is loaded in via the FIREBASE_CONFIG_BASE64 build trigger envvar, which is a secret value read from https://console.cloud.google.com/security/secret-manager/secret/FIREBASE_CONFIG_BASE64_PRODUCTION/versions?project=job-manager-1313. This value is a base64 encoded JSON string, which contains the firebase configuration for the site.