I am able to allow users to log in to Firebase using email and password. I followed these instructions: https://firebase.google.com/docs/reference/rest/auth/#section-sign-in-email-password
However, after 1 hr it seems the auth expires and I can't use my app anymore. Does anybody know how I can extend that hour? I have read MULTIPLE posts with very similar questions, but I can't find a clear answer. IT seems some people think there is a way to obtain a reauth token or something like that, but still no clear answer.
Manage User Sessions
Firebase Authentication sessions are long lived. Every time a user signs in, the user credentials are sent to the Firebase Authentication backend and exchanged for a Firebase ID token (a JWT) and refresh token. Firebase ID tokens are short lived and last for an hour; the refresh token can be used to retrieve new ID tokens. Refresh tokens expire only when one of the following occurs:
The user is deleted
The user is disabled
A major account change is detected for the user. This includes events like password or email address updates.
Manage Tokens on Web Client
The website client code can call User.getIdToken(forceRefresh?: boolean):
Returns the current token if it has not expired. Otherwise, this will refresh the token and return a new one.
This would need to be called each time a token is sent to the server.
Alternatively, user sessions may be managed via session cookies.
Manage Session Cookies
Firebase Auth provides server-side session cookie management for traditional websites that rely on session cookies. This solution has several advantages over client-side short-lived ID tokens, which may require a redirect mechanism each time to update the session cookie on expiration:
Improved security via JWT-based session tokens that can only be generated using authorized service accounts.
Stateless session cookies that come with all the benefit of using JWTs for authentication. The session cookie has the same claims (including custom claims) as the ID token, making the same permissions checks enforceable on the session cookies.
Ability to create session cookies with custom expiration times ranging from 5 minutes to 2 weeks.
Flexibility to enforce cookie policies based on application requirements: domain, path, secure, httpOnly, etc.
Ability to revoke session cookies when token theft is suspected using the existing refresh token revocation API.
Ability to detect session revocation on major account changes.
Related
I am new to firebase.
I don't understand how I can keep the users of my firebase app logged in when the max expiration time of an auth token in 1 hour.
I could use a function that uses the refresh token every hour but what do I do if the users phone isn't charged?
Thank you very much for any help.
A Firebase user's access token (or ID token) has a lifetime of an hour. After signing in the user, Firebase issues a refresh token that is used to get new access tokens if that refresh token is still valid and hasn't been revoked. If you are using the Firebase Client SDKs, they will handle getting new ID tokens as needed for you. Refer to the ID tokens documentation for more information.
An ID token essentially states "within the last hour, I have confirmed that I am this user".
If you are making use of Custom Authentication tokens from an Admin SDK, the token you give out to the caller also expires in an hour, but should be exchanged for a refresh token before it expires. Like described above, this new refresh token is used to request new ID tokens as they expire.
Firebase uses multiple token types to manage the authentication state of the user. The shortest lived of these (known as the ID token) expires an hour after it was created, but all Firebase SDKs actually automatically refresh that ID token before it expires.
This is handled for you behind the scenes, so in practice you shouldn't have to worry about token expiration - and your code can just get the currently signed in user everywhere it needs.
I like to implement the functionality
where if two users are trying to login with the same credentials then the first user should log out as soon as the second user login.
consider user one is logged in with his credentials from one machine
and he/ another user is trying to log in from another machine
then the user one session should be removed as soon as user one logged in.
Ps:
I tried to implement that by saving the current session id in the user table and overriding the OnCreated method from the IAuthSession interface and then checking in that if the request sessionId is the same as the saved session Id if same then process the request else call the lout endpoint.
But It will be not good for performance and I am not sure if it is a good way to do that?
PS: I am using a JWT token.
Update :
I am able to clear the session by using ICacheClient to get the session and then remove a session from the server using IRequest.RemoveSession(sessionId), but is it not log out the specific user.
You can't invalidate a user authenticating with stateless authentication like JWT which has the signed authentication embedded in the Token which is valid until the JWT expiry.
i.e. you can't revoke a JWT Token after it's already been issued.
There is a JwtAuthProvider.ValidateToken filter you can use to execute custom logic to prevent a user from authenticating which you may be able to use however that would require that you manage a collection of Token info you want to prevent from authenticating before its Token expiry.
I understand that the ID token are JWT with an expiry. However, I am curious if there is a way to set some sort of expiry on the refresh token given by Firebase sign in that allows us to call Firebase to get a fresh ID token - AFAIK these never expire.
Refresh tokens don't expire after a certain time interval. The Firebase documentation on managing user sessions says:
Refresh tokens expire only when one of the following occurs:
The user is deleted
The user is disabled
A major account change is detected for the user. This includes events like password or email address updates)
But you can revoke the refresh token (since it's really just an OAuth2 token). See the documentation on revoking refresh tokens for more on that.
We have a REST API (Python + Flask) that is exposed to external users through Google cloud functions. We also have a web application (React) that uses this API to show the results on the web. So we have two interfaces for our functionality: REST API and Web.
Now as per the new requirement we are implementing user Registration / Sign-in module (using Email & Password) on our website So that only registered / signed-in user can see the results on Web site.
We are planning to use Firebase. Integrating Firebase Client SDK in our website was straight forward (a new login page added so that users can sign-in and once logged-in, they will remain logged in until the browser cookies are cleared).
We want to have similar authentication for our REST API’s users as well. The API user will first register himself on our website. We’ll expose one more REST API SignIn where he will pass registered email & password, which we will valid using Firebase SignInWithPassword (Firebase Admin SDK / Firebase REST API) and return the ID Token / Refresh Token. Now while using any other exposed API the user needs to send these tokens IDToken / RefreshToken , which we will validate using VerifiyIDToken().
The problem is that ID Tokens are short lived (1 hour expiration), and after that VerifyIdToken will fail. Now we don’t want API user to either call SignIn API again to get new ID Token / RefreshToken or to visit our website to get any such token.
Is there is any way we can refresh API’s user ID Token without asking him to sign-in again?
Manage Tokens on Web Client
The website client code can call User.getIdToken(forceRefresh?: boolean):
Returns the current token if it has not expired. Otherwise, this will refresh the token and return a new one.
This would need to be called each time a token is sent to the server.
Alternatively, user sessions may be managed via session cookies.
Manage Session Cookies
Firebase Auth provides server-side session cookie management for traditional websites that rely on session cookies. This solution has several advantages over client-side short-lived ID tokens, which may require a redirect mechanism each time to update the session cookie on expiration:
Improved security via JWT-based session tokens that can only be generated using authorized service accounts.
Stateless session cookies that come with all the benefit of using JWTs for authentication. The session cookie has the same claims (including custom claims) as the ID token, making the same permissions checks enforceable on the session cookies.
Ability to create session cookies with custom expiration times ranging from 5 minutes to 2 weeks.
Flexibility to enforce cookie policies based on application requirements: domain, path, secure, httpOnly, etc.
Ability to revoke session cookies when token theft is suspected using the existing refresh token revocation API.
Ability to detect session revocation on major account changes.
I use Firebase ID Tokens to show data on my site when someone is logging in.
I save the token in a cookie on the client side and when the client accesses the website it takes the token from his cookie file and sends it to my backend server.
I would like to remove all ID Tokens when a password is reset so all the logged in clients using that username and password would disconnect.
Is this option valid? If so how can you do it? They don't seem to mention it in their docs.
When a user's password is reset, changed or the associated email is updated, Firebase Auth will invalidate all existing sessions for that user for security reasons. This effectively invalidates that user's ID token from the perspective of Firebase Auth backend. The refresh token will also not be able to issue a new ID token.
Also I agree with Scott. You should use currentUser.getIdToken() to get the ID token instead of storing it yourself. This API takes care of refreshing the ID token for you when it expires.