I’ve been reading up a bit on push tokens and I have a question about the data that’s sent to Google Firebase. I found a lot about the xml and that I have to register a new project under my account, but I don’t find anything about the transmission.
What exactly is being sent, and do I need to inform our company’s data security officer about this?
What do you think? I’m based in Germany.
Is there perhaps a Google-independent solution available for push token from the EU?
Best regards
Hi. i think @AAuer was refering to the xml part you found, which was a old implementation where you could create your own firebase project and were responsible for that on your own. unfortunately that does not really work anymore, so we abandoned it and now use our single firebase for the whole app.
But, and that connects to your original question, you do not need firebase at all. its just a convenicene thing, so that users get a notification if the app is closed/in background. the push token can also work in poll only mode, which is the base mode anyway, firebase is then just on top of that. that means, the app will always query the server on lifecycle events (app start, coming to foreground), or on explicit query (refresh gesture), for authentication requests - if a push token is in the app of course. this way, the push token already works, so no firebase needed. but this has the limitation that the app needs to be executed, so if its terminated or in background, the user will not get a notification, that is only possible with firebase.
The data that is transmitted via firebase is the same that is also queried directly from privacyIDEA: challenge nonce, message/prompt (which can contain information about the user/application if you use tag replacement in the message), token serial, title (of the dialog shown to the user in the app), sslverify flag and the server url (allows changing the url in operation).
I hope this helps