ADR-0015 Token Service for QuantaCorp API

Date2021-05-14
StatusAccepted
AmendsADR-0014 Scanatar Creation

Context

The QuantaCorp API needs to be able to validate that calls are coming from a legitimate eTryOn user. In ADR 0014 we proposed using the ID token returned by Firebase Auth as a bearer token to authenticate to the QuantaCorp API, but as this is the same token used to authenticate to Firebase services it should not be exposed to a third party API.

Decision

We will implement a Google Cloud Function to generate short-lived tokens with scope limited to the QuantaCorp API.

These will be JSON Web Tokens containing the ID of the authenticated user in the id field and QuantaCorp in the audience field, and will be valid for 15 minutes.

We will generate a key pair for signing and validating the tokens. We will share the public key with QuantaCorp so they can verify the signature.

Consequences

Applications using the QuantaCorp SDK will have to retrieve a token (by calling the Cloud Function) before interacting with the QuantaCorp API. They will authenticate to the Cloud Function using the ID token retrieved from Firebase Auth.

The QuantaCorp API will be able to identify the user from the id field in the token claims. This claim can be validated by verifying the token signature.