Firebase

KalamDB no longer has Firebase-specific auth configuration. Firebase now fits the same single-provider OIDC model as Dex, Keycloak, Okta, Auth0, Entra ID, Google, and other standards-compliant issuers.

Use the generic OIDC docs and set the issuer to your Firebase project issuer.

Example server.toml

1[auth]2jwt_trusted_issuers = "kalamdb,https://securetoken.google.com/YOUR_PROJECT_ID"3 4[auth.oidc]5enabled = true6display_name = "Firebase"7issuer = "https://securetoken.google.com/YOUR_PROJECT_ID"8client_id = "YOUR_PROJECT_ID"9scopes = ["openid", "email", "profile"]10auto_provision = true11default_role = "user"

If you need explicit audience validation, keep client_id set to the Firebase project ID.

What Changed

Do not use or document these removed shapes anymore:

• [oauth]
• [oauth.providers.firebase]
• provider-coded identities such as oidc:fbs:<subject>

Current external identities use the Firebase/OIDC sub claim directly as the KalamDB user_id.

If you need explicit persisted users or elevated roles, create them with issuer and subject:

1CREATE USER 'FIREBASE_UID'2  WITH OIDC '{"issuer":"https://securetoken.google.com/YOUR_PROJECT_ID","subject":"FIREBASE_UID"}'3  ROLE dba4  EMAIL 'user@example.com';

Related

• Authentication Overview
• Token Auth
• Auto-Provisioning Users
• OIDC & Issuer Trust
• OIDC Model