In the meeting, the State Changers discussed various issues related to user authentication, focusing on the use of Google's Identity Toolkit (Kids) and integration with Firebase and Xano.
The main problem queried is the single use of Google Kids which, as discussed, is generally used for single-sign on purposes via social sign-on and verifying ID tokens received from Google. The essential purpose of these public keys (Kids) is for validating tokens received from Google, ensuring their authenticity. The conversation also touched upon the use of Firebase and Xano. The participant initiating the query is using Firebase for login and Xano for authorization. A concern raised pertained to the possible proliferation of authorization tokens floating around leading to potential security issues. It was concluded that vulnerabilities from the existence of multiple tokens aren't a significant concern given their time-bound validity. Another topic was the differentiation between 'login as a process' and 'login as a state'. Participants reiterated the transient relationship with Firebase where the login is a process that results in an ID token. This token is then used for interaction with Xano to receive authorization tokens which have a specific lifespan. The scenario of a potential security breach was discussed, where a user logged in via Firebase manages to get hold of an authorization token of another user. The defense against such situations is the proper validation via Kids to ensure the authenticity of the user. Towards the end of the discussion, the prospect of reinforcing the implementation of Kids was discussed for a future meeting to mitigate potential security risks. It emerged that Kids may already be in use in an unknown manner since it's usually part of standard ID token authentication, but this was left to be clarified later. A future meeting was scheduled to delve deeper into this aspect.
(Source: Office Hours 4/17 Evening )
