Logging in anonymous user with custom token removes the anonymous status - firebase

What is the exact definition of an anonymous user in firebase authentication?
when I call signInAnonymously() obviously the user is isAnonymous: true.
But if I create a custom token for the user via the admin sdk and then log in again with that customToken (using signInWithCustomToken(token)) the user is no longer isAnonymous.
Is this a bug or intended? And is there any workaround to persist that anonymous state?

What is the exact definition of an anonymous user in firebase authentication?
It's a user account that doesn't have a person's identity attached to it. It merely recognizes that someone (probably the same person) is using the app over time, on a specific device.
But if I create a custom token for the user via the admin sdk and then log in again with that customToken (using signInWithCustomToken(token)) the user is no longer isAnonymous.
When you sign in a new account, the prior account is always immediately signed out. This is true for all types accounts, and has nothing to do with anonymous auth. There can only be one user signed in at a time.
Is this a bug or intended?
Working as intended.
And is there any workaround to persist that anonymous state?
No, the anonymous account is signed out after you sign in a new account. If you instead want to upgrade that anonymous account with a known identity, you should look into linking a new identity to the existing anonymous account by converting the anonymous account to a permanent account. This will preserve the account, but it will no longer be anonymous (as it now contains some identity information in it).

Related

How to make firebase not create a new user for Google OAuth on sign in?

On sign in using firebase's Google OAuth provider, it automatically creates an account for the user if one does not exist. Is there a way to not create an account and return an error on sign in?
(https://firebase.google.com/docs/auth/web/google-signin)
When you call the sign-in method, it will create an account for the user if it does not exist.
If you want to check if an account exists or not, you would have to perform the "Login with Google" OAuth flow yourself (without the Firebase SDK) and then use a Cloud function to check if a user with the email exists (you might also have to maintain a list of users (their emails) in Firestore). If not, then you can create a new account with the access token you received.

Update specific firebase auth session custom claims

i m using firebase auth in my app.
auth methods : custom auth and google sign in. user can login using any of the two.
user can have multiple auth sessions running in multiple devices.
now when the user logs in using custom auth then i set some custom claims[session id] while sending the custom auth token.
QUESTION
in case user signs in using google signin how do i make sure that the custom claim is only applied to specific session [using admin sdk to update custom claims] ?
use case : every session has a unique id so that it can subscribe to it and once the session id deleted from any other device the user gets log out automatically.
thnx in advance 🙏🙏🙏
This is not a use case supported by Firebase Authentication. Custom claims are attached to a user account, and will appear whenever that user signs in. They are not related to a user session, and are not temporary. If you need some sort of per-session permissions, custom claims are not going to help you out here.
It does appear to be possible to have something similar to per-session custom claims using Custom Tokens, and the custom claims will be "temporary" (not persisted on the Firebase user object).
Authenticate the user on the frontend using the typical Firebase process (Google Sign-In, email/password, etc.)
Send the token to your backend and validate it
Mint a custom token with the desired custom claim using the Firebase Admin SDK
Send the custom token to the frontend
Re-authenticate the user using signInWithCustomToken()
I've found this to be particularly useful when temporarily elevating or modifying a user's permissions (e.g. an admin performing a restricted action on behalf of another user).

can I change authentication provider from google account to be anonymous in firebase authentication?

An user login using Google account as the provider for authentication like the image above. I want to make when the user performs log out, then the provider should change from Google to be anonymous. so I want to make, when user logout, they will be anonymous but with the same userID Bdf2LPraRhbnWhP24eiSN3vTQ5G3
Can I do that?
I need to make it anonymous, because I want that user to still see some contents in my app even when they logout. They need to be in the logged-in state to pass the security rules.
I want to make when the user performs log out, then the provider should change from google to be anonymous.
There is no way you can automatically do that. When the user logs out, the created account still remains and cannot be converted in any way.
Firebase lets you create those anonymous accounts so you can authenticate with Firebase. These are only temporary accounts that can be used to allow users who haven't yet signed up to use your app. It's true that you can convert an anonymous account to a permanent account with Google, but the vice versa is not available.
It's also true that you can log a user out from Google, as well as from Firebase, and delete the Firebase account entirely, but if you try to create another anonymous account, a new UID will be generated. Unfortunately, there is no way to reclaim the old token for the user.
because I want that user to still see some contents in my app even when they logout.
If you want the user to see some content even if they log out, simply display that content also for non-authenticated users. If you want to restrict that only for a particular user, then the user should be authenticated.

How many time Anonymous users are created in Firebase

I would like to use the signInAnonymously feature from firebase but I'd like to know how it works exactly.
Is this anonymous user added as any other user in Firebase (but without an email or password) ?
Is it automatically removed after a certain time ?
If I call this method on each app launch. Will it create a new user everytime ? How will it know how te reuse an old one ? Local Storage ?
So will it create another user in database if my users connects from another device ?
Thanks a lot
An anonymous user account is similar to any other user account in Firebase, except that there is no way to identify the user.
Anonymous users are not automatically removed.
Each time you call the API to create an anonymous user, a new account will be created. To re-use the existing account, you should listen for the auth state when the app starts and only create a new user account if the user isn't signed in yet.
If the same (anonymous) user signs in from multiple devices, they will get a separate account on each. If that is not what you want for your use-case, you should require one of the identified authentication methods (email/password, Facebook, Google, etc)/
Frank's answer to the third question is incorrect.
From the documentation:
If there is already an anonymous user signed in, that user will be returned instead. If there is any other existing user signed in, that user will be signed out.
Therefore, this method can be safely called every time the application starts.

Firebase creating empty users, even though the Auth feature requires email

I am using Firebase's auth feature and sometimes I see empty users in the console. This brings issues to some users because instead of logging into their main account (and using their UID to fetch their user data in a users reference), log into that empty account with a UID which is not theirs.
Not sure exactly how that can happen, but it seems like this could be a bug on Firebase's side, because a successful Auth should have at least 1 provider...
Any ideas about such issue and how I could fix it from my side if possible?
Ps.: Is that how "signInAnonymously" would create anonymous accounts?
This is an intended behavior when you authenticate with Firebase anonymously.
signInAnonymously() method signs in the user anonymously without requiring any credential and creates a new account in your Firebase Authentication system, except in the case where there was already an anonymous user signed in into the app.
See FirebaseAuth.signInAnonymously class reference for more details.

Resources