As part of my project, I need to send both the anonymous and the email access token to the backend.
Unfortunately, after the user logs in through the Firebase-UI, Firebase only returns the token for the newly logged-in user.
I could of course store the anonymous token, but it's possible that that would expire in the meantime. So is there a way to keep both the anonymous user as well the signed-in email user and get their token?
I need to send both the anonymous and the email access token to the backend.
You can do that, but separately. You cannot have a single user logged in with two different providers at the same time.
Unfortunately, after the user logs in through the Firebase-UI, Firebase only returns the token for the newly logged-in user.
That's the expected behavior. Since you can only read the token of the currently logged-in user.
but it's possible that that would expire in the meantime
The anonymous auth token that identifies the account doesn't persist when the user logs out, and unfortunately, there is no way to reclaim that token for the user. Firebase anonymous authentication helps you create and use temporary accounts to authenticate your users in your application. These temporary anonymous accounts can be used to allow users who haven't yet signed up for your app. If such an anonymous user decides later to sign up for your application, you can link their sign-in credentials to the anonymous account.
So is there a way to keep both the anonymous user as well the signed-in email user and get their token?
No.
Related
In my app, users are signed in anonymously. If someone uninstalls the app and re-installs it, the new generated uid is different from the older one. Is there some way I can revert the firebase auth instance to use the older uid instead of the new one?
Once a user is signed out from Firebase's anonymous authentication provider, there is no way to reclaim that UID through that provider. Given that a user doesn't have to provide any credentials to sign-in anonymously, allowing them to claim a specific UID would be a big security risk.
The only option would be to build your own provider for Firebase Authentication and give the user the same UID as before there, after you've verified that they are the same user.
How to access tokens for Firebase Login with OAuth for an existing session?
I can access the accessToken as suggested here https://stackoverflow.com/a/38004400/2743101 during login with a popup.
Is there a native way of accessing it, when I have a returning already logged-in user, or do I have to persist the token myself?
Firebase Authentication only persists the credentials of the user for itself. It does not persist their credentials of the OAuth provider. If you want to re-use those across app restarts, you'll indeed have to persist them yourself.
What is the exact definition of an anonymous user in firebase authentication?
when I call signInAnonymously() obviously the user is isAnonymous: true.
But if I create a custom token for the user via the admin sdk and then log in again with that customToken (using signInWithCustomToken(token)) the user is no longer isAnonymous.
Is this a bug or intended? And is there any workaround to persist that anonymous state?
What is the exact definition of an anonymous user in firebase authentication?
It's a user account that doesn't have a person's identity attached to it. It merely recognizes that someone (probably the same person) is using the app over time, on a specific device.
But if I create a custom token for the user via the admin sdk and then log in again with that customToken (using signInWithCustomToken(token)) the user is no longer isAnonymous.
When you sign in a new account, the prior account is always immediately signed out. This is true for all types accounts, and has nothing to do with anonymous auth. There can only be one user signed in at a time.
Is this a bug or intended?
Working as intended.
And is there any workaround to persist that anonymous state?
No, the anonymous account is signed out after you sign in a new account. If you instead want to upgrade that anonymous account with a known identity, you should look into linking a new identity to the existing anonymous account by converting the anonymous account to a permanent account. This will preserve the account, but it will no longer be anonymous (as it now contains some identity information in it).
What happens to a user who has been anonymously signed into an app using firebase anonymous authentication when he/she factory resets his/her device. Is all the information the app had on him get lost or what does firebase use to maintain user data
An anonymous user in Firebase Authentication is not much more then their UID.
When you uninstall an app or wipe the device, that UID is wiped from the device. When the user signs in with anonymous authentication next time, they will get a new UID. There will be no connection between their previous UID and the new UID. This is the nature of anonymous authentication.
The information on the original UID will still exist on the Firebase servers, but there's no built-in way to connect the former UID and the next UID together.
I'm using OAuth 2.0 to log in users in my website. Just like any kind of website, e.g. Google, Asana, etc. .
What I would like to know is if there is a way to revoke ONLY the access token and not the refresh token when the user logs out.
This is what I do:
when a user logs in, I create a session and obtain the access token (and the refresh token if the user logs in for the first time). When the user logs out, I just invalidate the session but the access token is still valid.
Sure, the access token will invalidate after a while or when the user logs in the web app again but what I want to know is if the access token can be invalidated during the log out process.
There's no generic answer to this question as the implementation of token revocation behavior wrt. related tokens is Authorization Server specific. Google will invalidate the refresh token together with the access token that is being revoked, other implementations may choose not to do so. Yet other implementations may not even offer a way to revoke access tokens at all.
For Google you can revoke the access token upon logout as described in https://developers.google.com/accounts/docs/OAuth2WebServer#tokenrevoke but it will also revoke the associated refresh token. You must then go through the authorization code flow again to get a new refresh token, which you could try with prompt=none to avoid the user being prompted.