Flutter Web, a Dart gRPC server and Firebase Authentication


OK, not the sexiest title, but here is a quick overview of how you can create a flutter web application (or mobile for that matter, but more on that later), using Firebase authentication, talking to a pure Dart server using gRPC.  


The goal here is to:


  • Create a SPA Flutter web application.

  • Leverage Firebase authentication. It's inexpensive (essentially free for most users), and supports a wide variety of social login providers.

  • Support a native Dart Server, using gRPC and protobufs.

  • Proxy from gRPC web to gRPC "native" using envoy.


Putting it together, it looks something like this:





Why the choice of gRPC here, instead of json/REST?  This comes down to personal preference, but I have always liked the contract first approach of gRPC of defining interfaces using protobufs. In theory, you can do this with OpenAPI - but I've yet to see a moderately complex interface where the generated API stubs look even remotely usable. gRPC does a good job of generating usable client and server stubs for a wide variety of languages. It's also fast. If json is your thing, protobuf3 provides a json serialization option.


gRPC currently rides over http/2 - which web applications do not support. This is where grpc-Web comes in, which defines a mapping between http and the "native" gRPC protocol. Envoy does the proxying for us here. It's simple to configure starting with the sample envoy.yaml.  Aside - if you have a mobile or desktop application that speaks http/2 you don't need the envoy proxy as the application can make direct gRPC calls against the server.


Basic Flow


  1. The flutter web app authenticates using the FlutterFire authentication plugin. The user will be prompted for their credentials or will use social login. I used the sample FlutterFire Auth application to test this.

  2. Once the user has authenticated, the application gets back an OpenID connect id token.

  3. The application sends the id token over grpc-Web to the Dart server (via the envoy proxy).

  4. The idToken must be validated! I used the excellent openid_client library on pub.dev for validation. This library checks the signature on the token to ensure it was issued by Firebase, and is still valid.  

  5. The id token contains a number of JWT claims that our server will use. The user id assigned by firebase is unique, and makes an excellent primary key for your application.  You can also extract the user's email, photo, and other claims.


You probably don't want to pass the id token on every call from your client to the server. It's large, and you really should not be reusing it. Instead, your server can create a simple session, using a secure random string as the session identifier. There are many approaches here, starting with a simple in memory hashmap of session ids, and a periodic timer to purge older sessions. 


In my test application, I elected to send the id token in a simple authN request:



If the token is valid, the server creates a session and returns it to the client. 


For subsequent calls, you should pass the session id as "metadata" (call options) rather than specify it in every single Request protobuf message. 


On the client, you can send the session id metadata as follows:



On the server we have a gRPC interceptor that looks for a session id. If the session is valid, the call proceeds. If not, the interceptor returns a gRPC error to the client. This looks something like this:




And there you have it. If you have questions, let me know in the comments.

Comments

Post a Comment

Popular posts from this blog

Introducing ds-operator, the ForgeRock Directory Services Operator for Kubernetes

Image
ForgeRock Directory Services 7.0 was a big achievement for the Grenoble Directory team.  It is the only "Kubernetes native" directory where you can add a new replica using kubectl: kubectl scale sts/ds-idrepo --replicas=3 The 7.0 deployment is assembled using standard Kubernetes primitives such as StatefulSets , Persistent Volume Claims, and Services.  This is all built and orchestrated using Skaffold and Kustomize .  An emerging pattern in the Kubernetes world is the use of Custom Resources and Operators .  Broadly speaking, a custom resource is the declaration of the desired system state, and the operator's job is to observe the current state and bring the system into alignment with the declared state: source: https://blog.container-solutions.com/kubernetes-operators-explained The Kubernetes API server (the thing that responds to your kubectl commands) can be extended to handle new custom types.  A custom resource definition (CRD) describes to the API server the syntax
Read more

Automating OpenDJ backups on Kubernetes

Image
Kubernetes   StatefulSets  are designed to run "pet" like services such as databases.   ForgeRock's OpenDJ LDAP server is an excellent fit for StatefulSets as it requires stable network identity and persistent storage. The ForgeOps project contains a Kubernetes Helm chart to deploy DJ to a Kubernetes cluster. Using a StatefulSet, the cluster will auto-provision persistent storage for our pod. We configure OpenDJ to place its backend database on this storage volume. This gives us persistence that survives container restarts, or even restarts of the cluster. As long as we don't delete the underlying persistent volume, our data is safe. Persistent storage is quite reliable, but we typically want additional offline backups. The high level approach to accomplish this is as follows: Configure the OpenDJ container to support scheduled backups to a volume. Configure a Kubernetes volume to store the backups. Create a sidecar container that archives the backups
Read more

Deploying the ForgeRock platform on Kubernetes using Skaffold and Kustomize

Image
If you are following along with the  ForgeOps repository, you will see some significant changes in the way we deploy the ForgeRock IAM platform to Kubernetes.  These changes are aimed at dramatically simplifying the workflow to configure, test and deploy ForgeRock Access Manager, Identity Manager, Directory Services and the Identity Gateway. To understand the motivation for the change, let's recap the current deployment approach: The Kubernetes manifests are maintained in one git repository ( forgeops ), while the product configuration is another ( forgeops-init ). At runtime ,  Kubernetes init containers clone the configuration from git and make it  available to the component using a shared volume. The advantage of this approach is that the docker container for a product can be (relatively) stable. Usually it is the configuration that is changing, not the product binary. This approach seemed like a good idea at the time, but in retrospect it created a lot of c
Read more