We are converting our non coldbox api to coldbox and where able to create a working hybrid application.
In order to convert some off the endpoints to Coldbox and validate the api requests we would like to use cbsecurity so that we can lean on the framework way.
The JSON webtoken is signed with an Google Private and Public key. We already have this in place and working in the lagacy application.
Users are managed in firestore including the userroles and duplicated to the backend database as the all the data is stored there including schedules based on the users preferences.
Firestore supports user login from multiple platforms like Google, Microsoft, Apple etc.
Well, sin ce you are using your own auth service, it will be a matter of making sure you create a service object that adheres to our interface so cbsecurity can use it: Authentication Services - cbsecurity
Once those are in place, you can use the same google private/public keys to sign the ColdBox json web tokens too. We use the jwt-cfml package for this: FORGEBOX: JWT CFML which allows you leverage signatures as well.
Basically, cbsecurity has all the machinery to protect your application with rules and annotations, but you must tell it how users authenticate and how users authorize.