要执行此操作,您可以从使用 Identity Platform 登录的客户端应用中检索一个 ID 令牌,并将该令牌包含在发送至您的服务器的请求中。随后,您的服务器会验证此 ID 令牌,并提取用于标识用户的声明(包括用户的 uid,用户登录时使用的身份提供方服务等)。这样,您的服务器就能使用这些身份信息代表用户执行操作了。
Firebase Admin SDK 可让您通过管理用户、生成自定义令牌以及验证 ID 令牌,来完成身份验证任务。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[[["\u003cp\u003eThe Firebase Admin SDK enables server-side integration with Identity Platform for managing users, authentication tokens, and identity verification.\u003c/p\u003e\n"],["\u003cp\u003eYou can programmatically manage users, including retrieving full user data and modifying credentials, using the admin user management API without needing existing user credentials.\u003c/p\u003e\n"],["\u003cp\u003eCustom tokens allow integration with external user systems or unsupported identity providers, enabling users to sign in to Identity Platform and access other services.\u003c/p\u003e\n"],["\u003cp\u003eID tokens can be verified on your server to securely identify signed-in users and perform server-side logic on their behalf.\u003c/p\u003e\n"],["\u003cp\u003eCustom user claims, managed via the Firebase Admin SDK, allow for fine-grained access control for users signed in with any supported Identity Platform auth provider.\u003c/p\u003e\n"]]],[],null,["# Introduction to the Admin Auth API\n==================================\n\nIdentity Platform is built on an enhanced infrastructure that supports\nauthentication of users to your apps and services. You can use the\nFirebase Admin SDK to integrate your own servers with Identity Platform and\nmanage your users or authentication tokens. There are a number of\nreasons you would want to do this:\n\n**User Management**\n\nIt is not always convenient to have to visit the\n\nGoogle Cloud console (Google Cloud console)\nto manage your Identity Platform users. The admin user management API\nprovides programmatic access to those same users. It even allows you to do\nthings the\nGoogle Cloud console cannot, such as\nretrieving a user's full data and changing a user's password, email address, or\nphone number.\n\n**Custom Authentication**\n\nYou can integrate an external user system with Identity Platform. For\nexample, you may already have a pre-existing user database or you may want to\nintegrate with a third-party identity provider that Identity Platform doesn't natively\nsupport.\n\nTo do this, you can create custom tokens with arbitrary claims identifying the\nuser. These custom tokens can then be used to sign into the Identity Platform service on\na client application and assume the identity described by the token's claims.\nThis identity will then be used when accessing other Identity Platform\nservices, such as Cloud Storage.\n\n**Identity Verification**\n\nIdentity Platform is primarily used to identify users of your app in order to restrict\naccess to other services, like Cloud Storage.\nYou can also use the service to identify these users on your own server. This\nlets you securely perform server-side logic on behalf of users that have signed\nin with Identity Platform.\n\nTo do this, you can retrieve an ID token from a client\napplication signed in with Identity Platform and include the token in a request to your\nserver. Your server then verifies the ID token and extracts the claims that\nidentify the user (including their `uid`, the identity provider they logged in\nwith, etc.). This identity information can then be used by your server to carry\nout actions on behalf of the user.\n\nThe Firebase Admin SDK provides methods for accomplishing the\nauthentication tasks above by enabling you to manage your users, generate custom\ntokens, and verify ID tokens.\n\n**Custom User Claims**\n\nIn some cases, you may want to implement fine-grained access control\nfor users already signed in with one of the supported Identity Platform\nauth providers such as Email/Password, Google, Facebook, phone, etc. A\ncombination of custom user claims and application security rules provides this\ncapability. For example, a user signed in with the Identity Platform Email and\nPassword provider can have access control defined using custom claims.\n\nUser management\n---------------\n\nThe Firebase Admin SDK provides an API for managing your\nIdentity Platform users with elevated privileges. The admin user management\nAPI gives you the ability to programmatically retrieve, create, update, and\ndelete users without requiring a user's existing credentials and without\nworrying about client-side rate limiting.\n[Manage users](/identity-platform/docs/concepts-manage-users)\n\nCustom token creation\n---------------------\n\nThe primary use for creating custom tokens is to allow users to authenticate\nagainst an external or legacy authentication mechanism. This could be one you\ncontrol, such as your LDAP server, or a third-party OAuth provider which\nIdentity Platform does not natively support, such as Instagram or LinkedIn.\n\nThe Firebase Admin SDK has a built-in method for creating\ncustom tokens. You can also programmatically create custom tokens in any\nlanguage using third-party JWT libraries.\n\nYour server should create a custom token with a unique identifier (`uid`) and\npass that token to a client app, which will use it to sign in to\nIdentity Platform. See\n[Create custom tokens](https://firebase.google.com/docs/auth/admin/create-custom-tokens)\nfor code samples and more details about the custom token creation process.\n\nID token verification\n---------------------\n\nIf your Identity Platform client app communicates with your backend server,\nyou might need to identify the currently signed-in user on your server so you\ncan perform server-side logic on their behalf. You can do this securely by using\nID tokens, which are created by Identity Platform when a user signs into an\nIdentity Platform app. ID tokens conform to the\n[OpenID Connect spec](http://openid.net/specs/openid-connect-core-1_0.html) and\ncontain data to identify a user, as well as some other profile and\nauthentication related information. You can send, verify,\nand inspect these tokens from your own backends. This allows you to securely\nidentify the currently signed in user and authorize them into your own backend\nresources.\n\nThe Firebase Admin SDK has a built-in method for verifying\nID tokens. You can also programmatically verify ID tokens in any\nlanguage using third-party JWT libraries. See\n[Verify ID tokens](https://firebase.google.com/docs/auth/admin/verify-id-tokens)\nfor more details and code samples about the ID token verification process.\n\nCustom user claims\n------------------\n\nThe Firebase Admin SDK lets you set custom attributes on user accounts.\nWith custom user claims, you can give users different levels of access (roles),\nwhich are then enforced in an application's security rules.\n\nAfter custom claims are modified on a user via the Firebase Admin SDK, they are\npropagated to the authenticated users on the client side via their ID tokens.\nThe ID token is a trusted mechanism for delivering\nthese custom claims, and all authenticated access must validate the ID token\nbefore processing the associated request.\n\n[Control Access with Custom Claims](https://firebase.google.com/docs/auth/admin/custom-claims)"]]
