Hi guys, I want to make a chat app. So if I authenticate user on client-side using Firebase Auth Google Sign-In, then when I send chat request to create chat session to server I don't need any authentication on server side right, because I already had user id on client side so i can use it to create session ?

Firebase will issue you an id token. The client can decode the token to determine the user id, but if the client sends the id to the server, the server has no way to trust the id actually belongs to that person calling it. For example, if I know your user has an id of 1234, what's stopping me from sending that to the server to create the session? What you need to do is send the id token (JWT) to the server, and then cryptographically verify it using firebase's public JWKS. Verifying JWTs is a very standard thing, but firebase will give you instructions on how to do it. If the server merely decodes the token, and doesn't verify it, then nothing is stopping me from signing my own jwt to pass myself off as user 1234. So once your server has verified the JWT was signed by your identity provider (firebase), then you can decode it and trust the user id inside it to be valid. Once the server has the id, you can use that to create the session. That was your crash course to JWT authorization using a public identity provider. Good luck!

woww you can clarify me without know which backend framework i gonna using. amazing. i from android developer so everything crash new to me. thanks you so muchh.

I'm glad it helped!