Authenticating third-party services using Supabase Auth
Hi, I'm currently planning out to move my authentication from Firebase over to Supabase for my Flutter Project, but I have some concerns.
For one, I don't want to use Supabase Storage for instance, and opt to use AWS S3 instead (Not sure on this one yet).
Most importantly, I plan to host my own No-SQL database alongside Supabase for simple high-volume data on a VPS with a custom Auth API to validate Supabase authentications, but I'm kind of stumped on how to go about this, because this is the first time I'm working with multi-service infrastructure to fit my needs...
The main reasons for this kind of seperation is to minimize costs, and to keep my application as scalable, as possible.
But theres a few caviats to that approach:
- For every read and write, I need to make sure that the user is actually allowed to access this information.
- I currently use Firebase to store messages aswell as conversation headers (with last message, timestamp, participants). I dont authenticate supabase users because I'm still prototyping my way to a functional app. I'm not sure whether conversation headers should be stored in supabase or my nosql database, or if it makes functionally no difference once i found a working solution
So the questions regarding my problems boil down to:
Are there any supabase (or supabase-agnostic) resources for this (validating foreign/self-written services using Supabase Auth)?
What are the implications this might have for my Cloud Supabase instances? Do I need to self-host to do that?
I saw the Supabase Auth page, but I mightve stumbled over the answer I need.
10 Replies
This is the method to have access to Supabase database/storage/etc using Firebase auth. https://supabase.com/docs/guides/auth/third-party/firebase-auth
Hi! I'm moving away from Firebase, thats not my issue. I need firebase for messaging data, but because its too expensive and limited, I want to create my own solution. Since Supabase Auth is a pretty appealing option, I'm trying to figure out how you would authorize reads and writes for other services you might use alongside Supabase.
In my case its a VPS hosted no-sql database
Ah sorry I missed that.
There is no built in method to do that, although now with the async JWT's you can use a public key to verify the user JWT's are valid, so you could probably do that.
The problem becomes refreshing the JWT so you would need to be calling all your services from a common point that handles the refreshing when they expire.
Okay. So for example if I had a conversation or chat groups, I would hold their userIds in the conversation header... that would be the critical part for me - does the JWT confirm the identity of that user id?
Yes.
Alright thanks, that's 80% of my concerns addressed already 😂
would that common point be Cloud Functions?
This is the async JWT stuff that was just released. There is an endpoint you can get the public key from and use that with a jwt library to verify the claims.
https://supabase.com/blog/jwt-signing-keys
You need somewhere to signin the user and then keep their jwt refreshed. Edge functions only run for a few minutes.
The REST clients handle the refreshing.
I mean, I have a flutter application i plan to use the auth in... I'm currently a bit confused on what you mean, sorry
You could use the edge functions though to protect your other services.
The Flutter Supabase REST client handles signin and keeping the token refreshed. If you call all your other services from that then you should be fine.
Oh I see, alright. I think I'll get back to development for now then. Thanks!