I need to revoke the Firebase token generated for CI. However I can't figure out how to do that.
Firebase details how you can generate a token
firebase login:ci
And also how to revoke a token:
firebase logout --token TOKEN
However I don't know what the variable for TOKEN is. Firebase doesn't seem to generate an ID when you create one and I can't see any CLI command to list active tokens.
How can I revoke a token without knowing what its ID is?
TOKEN is the CI token generated by firebase login:ci that you want to revoke and not any ID.
Related
Is there any way to get a Google Cloud token with a Firebase user token?
Specifically, I want to address REST API endpoints at https://storage.googleapis.com/storage/v1/b/<bucket>/o, but Firebase Auth tokens are not accepted here.
In detail, I send the Firebase Token in the header of the request:
CustomHeaders['Authorization'] := 'Bearer ' + FirebaseAuthToken
And get a status code 401 with the message Invalid Credentials.
On the other hand, I address successfully the Firebase API at https://firebasestorage.googleapis.com/v0/b/<bucket>/o in the same way with the bearer and the Firebase auth token.
I am looking for a way to list all objects within a directory under Firebase storage for a signed-in Firebase user.
When I generate a token using createCustomToken from Firebase admin sdk, how can I verify that is the valid token without using the SDK again?
I assumed its a valid OAuth token but I can not find the signing key and therefore check the integrity. I use Firebase Auth for storing the token and the admin sdk.
Custom Tokens created with the Firebase admin SDK are signed using a service account. In the default setting the service account email has the form firebase-adminsdk-bh96s#<YOUR_PROJECT_ID>.iam.gserviceaccount.com.
Under https://www.googleapis.com/robot/v1/metadata/x509/<service account email> you will find the corresponding public keys.
See also https://firebase.google.com/docs/auth/admin/create-custom-tokens
Firebase ID tokens are JWTs (JSON Web Tokens) and can be verified either with the Firebase Admin SDK, or with any other JWT parsing library.
I am using firebase mobile otp authentication. After successful authentication my android app receives a token which I have to verify on my django server. But while I was reading the docs of verifying this token, it comes out that if someone knows my firebase project-id, they can generate valid tokens anytime they want.
To get contec, look at the last method to verify firebase token at link
Isn't this quite risky, as once your firebase project id is known to someone, they can create fake tokens??
Also does custom authentication token help overcome this problem?
Thanks. Let me know if I have incorrectly understood the firebase token validation and it is not possible to create fake tokens once we know the firebase project-id.
ID tokens are signed by a private key owned by Firebase Auth. They cannot be forged. Note that the doc you've referenced also states:
Finally, ensure that the ID token was signed by the private key corresponding to the token's kid claim. Grab the public key from https://www.googleapis.com/robot/v1/metadata/x509/securetoken#system.gserviceaccount.com and use a JWT library to verify the signature.
A forged ID token will not pass the signature check.
from the below image in firebase docs they are saying that when user sign to app send their sign-in credentials with username(email) and password, they said that response will contain a custom token but for me in the response only showing access token and refresh token, if we use any of these two token for signInWithCustomToken getting an error of invalid token, please pull me out of this issue
Thanks in advance
I think you are misunderstanding this. For custom auth, you are typically using your own auth system and not Firebase. Following the docs, they assume you are using your own username/password auth system. In that case, you send both to your backend server. You verify the credentials (username, password) in your own auth system. If they are legit, you lookup the user id in your auth system database, you then use the Firebase Admin SDK createCustomToken(uid) to mint a custom token with that uid. You send it back in the response to the client. The client will then call signInWithCustomToken to complete the sign-in.
I realize you can create a firebase token by using
firebase login:ci
You can revoke an individual token by doing
firebase logout --token <token>
But how do you either a) revoke all of them, or b) list all the active tokens?
I want to make sure there aren't leftover tokens that are still active on a project.
These tokens are Google OAuth2 refresh tokens (see bullet 4 in Google Identity Platform). Their number is limited (i guess it is 25 ).
The easiest way to explicitly revoke a token is to use firebase logout --token <token> as you mentioned. I do not know of an API for listing outstanding refresh tokens, I'm not sure it exists.
But I do know that clicking 'Remove' on the Firebase CLI entry here: https://myaccount.google.com/permissions will revoke the active tokens.
Logging back in will prompt you for permissions again and if you grant them your new token will be the only valid one.
So, It's better to remove permission from your App permissions, so no leftover tokens are there on your project.
You should test this before I'd be certain it works, but you can likely go to Apps connected to your account for your Google account and revoke access to the Firebase CLI app. This should immediately revoke any outstanding tokens, and you can then run firebase login again to re-authenticate yourself.