Securely setting the first custom claim on a Firebase user

Question

What is the standard, secure way to set the first custom claim on all Firebase users?

Firebase provides some great documentation and examples for understanding and using custom claims -- e.g. this great video example -- but most examples use an existing custom claim to authorize the creation of other custom claims; and as of this post the Firebase console provides no way to set/edit/view custom claims, nor can custom claims be set via the CLI.

Here are some options I am considering:

• Create a distinct admin project, which can be used by a service account to create custom claims via the Firebase Admin SDK.
• Use a Cloud Function to perform custom claim creation iff a certain Firebase console action is taken, e.g. creating a Firestore Document in collection inaccessible via security rules.
• Ignore security for the creation of the first custom claim; only add security after this is already a custom claim on a Firebase user.

Have you encountered this problem and solved it more-elegantly?

Answer 1

There is no real standard way to set Custom Claims. The only constraint, as you know, is that they can only be set from a privileged server environment by the Firebase Admin SDK, i.e. from one of your servers, or, easier and more serverless-oriented, via a Cloud Function.

So, within this constraint, you can do whatever you want. The first two options in your question are totally valid and good ones, IMO. I've wrote an article about a year ago (How to create an Admin module for managing Firebase users access and roles) in which we use a Callable Cloud Function to do the job. Today, in most of my projects, I prefer to use a Firestore collection which triggers the Cloud Function, but it is more or less equivalent (the Callable Cloud function in the article actually creates a Firestore doc).

In this article, I share a simple approach for creating the first Claim (which I call the Admin user Claim): use a temporary Cloud Function that you trigger by creating a doc in a temporary, secured, Firestore collection. Not a very elaborated and elegant method, but it does the job...

---

About your third option ("Ignore security for the creation of the first custom claim") I don't think you need and should do that.

You can do as described in the article and above. In a nutshell:

1. Set up your system with access rights restricted to the user with the Admin Custom claim (e.g. a security rule to create a doc in the dedicated Firestore collection, or a check in a Callable Cloud Function that the caller has the Admin Claim)
2. Create the Admin user in the Auth service
3. Assign him the Admin user Claim via the method detailed above.

You are done and no security hole.

---

Finally, it's worth noting that a new experimental Extension dedicated to setting claims with Firestore was launched in January this year. See here and here.