ADR-0015 Token Service for QuantaCorp API
|Amends||ADR-0014 Scanatar Creation|
The QuantaCorp API needs to be able to validate that calls are coming from a legitimate eTryOn user. In ADR 0014 we proposed using the ID token returned by Firebase Auth as a bearer token to authenticate to the QuantaCorp API, but as this is the same token used to authenticate to Firebase services it should not be exposed to a third party API.
We will implement a Google Cloud Function to generate short-lived tokens with scope limited to the QuantaCorp API.
These will be JSON Web Tokens containing the ID of the authenticated user in the
id field and
QuantaCorp in the
audience field, and will be valid for 15 minutes.
We will generate a key pair for signing and validating the tokens. We will share the public key with QuantaCorp so they can verify the signature.
Applications using the QuantaCorp SDK will have to retrieve a token (by calling the Cloud Function) before interacting with the QuantaCorp API. They will authenticate to the Cloud Function using the ID token retrieved from Firebase Auth.
The QuantaCorp API will be able to identify the user from the
id field in the token claims. This claim can be validated by verifying the token signature.