I can not find how should handle the auth part correctly. Basically, my backend returns me a token, and with this token, I call auth().signInWithCustomToken(token). All works fine my users have access to chat and other things. Also, on signout I call auth.signout(). But the problem is if the user does not use the app for some time and when coming to the app with refresh token if it is valid we generate new accessToken. But how to handle firebase part in this flow because user can not access chat, etc because it seems firebase token is not valid anymore. Any idea how to handle refresh token or flow in this case?
Once you've signed out with signout(), refreshing a token won't help at all. The user is fully and completely signed out. If you want to sign back in, you will need another new token to sign in with signInWithCustomToken(). Once the user is signed in, the Firebase SDK will automatically refresh a token to keep that sign-in alive for a long as needed. There is nothing you need to do for that.
Related
I am trying to sign in with google using
IAuthResult user = await FirebaseAuth.Instance.SignInWithCredentialAsync(credential as AuthCredential);
then I can get the idToken using
var token = user.User.GetIdToken(false);
but there is no way to get the refresh token to store it in order to check if it is valid or not.
Any suggestion?
You don't actually need to use the refresh token yourself. This is handled behind the scenes from the Firebase SDK so you will remain connected so long as you do not sign out. The tokes expire after one hour but they will be automatically refreshed. You can revoke a refresh token using the Admin SDK. https://firebase.google.com/docs/auth/admin/manage-sessions
I am starting to learn about JWT and I was wondering if some one got a hold of both my id token and refresh token, could that someone access firestore or other firebase resources pretending to be me indefinitely(until the refresh token is revoked)?
If so, how does firebase prevent this from happening?
I can't help feeling that the if someone could get my id token, it's not that hard to access the refresh token as well.
All communication with Firebase APIs are over HTTPS, which means that no one can listen in on that communication. It is secure. If someone got both a fresh ID token and a refresh token, then could impersonate you when making calls to Firebase APIs.
However, no one can get your ID token or refresh token unless you make a security mistake. For example, leaving your computer unlocked while you're signed in would be a bad idea. Or, having a password that's easy to guess. Use all the standard security precautions, and you won't have a problem.
I used the token generated by my authentication server to sign my users in using signInWithCustomToken(token). Now what I cannot figure out is if they sign out, how will I sign them back in ?
I don't think saving the generated token in the database is a good idea because then I am going to have to give it public access so the user can access it.
Any ideas ?
If the user signs out. You have to go through the same mechanism you used initially to generate the custom token. Do not save the custom token. Besides it is only valid for a short period of time.
One example is if you are using our own username/password auth system. You ask the user for the username/password, verify it in your own server and then issue the custom token back to the client, client calls signInWithCustomToken and user is signed in. If the user signs out, you have to repeat the process.
I implemented Auth with Firebase + Facebook. To be able to use the Auth with my custom backend I implemented the admin SDK on my node Server. Now I am trying to validate if my Firebase token is still valid to know when I need to show the login screen. I could probably send the token to my custom backend. But since I don't need anything else from the backend, it would be easier to directly call firebase from the client.
Does someone know if a function like that exists?
Firebase client SDKs periodically refresh the ID tokens and keep them alive. Therefore the token will remain valid, until the client explicitly invokes a sign out operation. See this discussion for more details: https://groups.google.com/forum/#!msg/firebase-talk/rjR0zYiiEhM/Clt9aFtgAwAJ (It is a little old, but still relevant
I'm using Google Sign-In. A user comes to my site and logs in with gapi.auth2.getAuthInstance().signIn(), or they are already logged in and when the page loads (or reloads) we fetch the status. At this point I have an identity token good for an hour that I can validate on the server.
When a user leaves the browser sitting (say, overnight), this token expires. gapi.auth2.getAuthInstance().isSignedIn.get() returns true, but the token does not validate.
How can I log in a user and keep them logged in while their session is active (ie, browser hasn't been closed)? Or refresh the token? Anything more graceful than reloading the page...
Edit: The refresh token is not a correct answer; I don't want offline access (and don't want to ask for the permission). Google obviously thinks the user is still signed into my application; the user can reload the page and get a new token without providing credentials again. Surely there is some mechanism more graceful than a hidden iframe to get an updated token?
If the token is expired, you can call gapi.auth2.getAuthInstance().currentUser.get().reloadAuthResponse(). It returns a Promise.
I've raised an issue with Google over this because it's simply ridiculous they haven't documented this properly.
My comment here advises how I've accomplished refresh using the above.
FWIW, we've managed to (mostly) make it work via a listener approach. It appears that 'userChanged' callback is invoked ~5 minutes before the access token expires. That's enough for us to extract and update the access token without refreshing the page.
What does not quite work though is when computer comes back from sleep. This can be solved relatively easy by reloading the page on wake up.
You can accomplish this with listeners.
var auth2 = gapi.auth2.getAuthInstance();
// Listen for changes to current user.
// (called shortly before expiration)
auth2.currentUser.listen(function(user){
// use new user in your OpenID Connect flow
});
This will allow you to keep current credentials, as long as the browser remains active.
If the computer is put to sleep additional work must done to get current credentials.
if (auth2.isSignedIn.get() == true) {
auth2.signIn();
}
You can use Refresh Token to get offline access. As per the official reference
Access tokens have limited lifetimes. If your application needs access to a Google API beyond the lifetime of a single access token, it can obtain a refresh token. A refresh token allows your application to obtain new access tokens.
Basically you will get the refresh token the first time you ask for authentication. You need to save that token securely for future use. The access token (you mentioned as identity token) expires after an hour. After that you have to use the refresh token each time you want to get a new usable access token.
Depending on the client library you are using the syntax will differ. following is a sample for php client library.
// get access token from refresh token if access token expire
if($client->getAuth()->isAccessTokenExpired()) {
$client->refreshToken($securelyPreservedRefreshToken);
$newToken = $client->getAccessToken();
}
check this for details steps.