Is there a period of life (how long do they expiring) for the oobCodes that Firebase sends with actions like password reset or email verify requests? And can it be configured?
if you are using the Android SDK you should not have to worry about token expiration. The auth and database SDKs talk to each other and the token is automatically refreshed every hour. This should all be invisible to your application.
Are you having some problem where this is not the case?
I've migrated from the legacy firebase to google-firebase. I've semi-private information the access to which was being controlled using tokens with a large expiry time. This has become impossible with the current limitation.
If we use default Auth providers like (Google, Facebook, Email..), updating "SHA-1 key" in firebase console would enable Automatic token refresh.
But in custom authentication, Firebase SDK need to contact 3rd party server to fetch new token.
# Revoke tokens on the backend.
auth.revoke_refresh_tokens(uid)
user = auth.get_user(uid)
# Convert to seconds as the auth_time in the token claims is in seconds.
revocation_second = user.tokens_valid_after_timestamp / 1000
print('Tokens revoked at: {0}'.format(revocation_second))
Related
Signing in into my firebase app via REST https://firebase.google.com/docs/reference/rest/auth only returns tokens which expire after 1 hour (3600 seconds, according to the REST response). I don't see any way to change this.
Using firebase JS SDK, the authentication persists "forever", which is what I would like to achieve. However I do not want to include the JS SDK in my app, if there is a way around it (mostly because of its size (~700kb)).
Is there a way to obtain a persistent login from the official firebase REST api?
Using firebase JS SDK, the authentication persists "forever"
This is because the JS SDK automatically takes in charge the action of getting a new user's Firebase ID token when the current one expires, by using the refresh token. See the doc.
So you need to implement this mechanism yourself when you work with the Firebase Auth REST API, by using the endpoint that allows exchanging a refresh token for an ID token.
For that you should use the refresh token you received the last time you logged in, e.g. by using the endpoint that signs in a user with email/password, or the last time you refreshed the ID token (see below).
You'll get a response which contains the new Firebase ID token and refresh token. Next time this new ID token expires, use again the refresh token, and so forth...
I understand that the ID token are JWT with an expiry. However, I am curious if there is a way to set some sort of expiry on the refresh token given by Firebase sign in that allows us to call Firebase to get a fresh ID token - AFAIK these never expire.
Refresh tokens don't expire after a certain time interval. The Firebase documentation on managing user sessions says:
Refresh tokens expire only when one of the following occurs:
The user is deleted
The user is disabled
A major account change is detected for the user. This includes events like password or email address updates)
But you can revoke the refresh token (since it's really just an OAuth2 token). See the documentation on revoking refresh tokens for more on that.
We have a REST API (Python + Flask) that is exposed to external users through Google cloud functions. We also have a web application (React) that uses this API to show the results on the web. So we have two interfaces for our functionality: REST API and Web.
Now as per the new requirement we are implementing user Registration / Sign-in module (using Email & Password) on our website So that only registered / signed-in user can see the results on Web site.
We are planning to use Firebase. Integrating Firebase Client SDK in our website was straight forward (a new login page added so that users can sign-in and once logged-in, they will remain logged in until the browser cookies are cleared).
We want to have similar authentication for our REST API’s users as well. The API user will first register himself on our website. We’ll expose one more REST API SignIn where he will pass registered email & password, which we will valid using Firebase SignInWithPassword (Firebase Admin SDK / Firebase REST API) and return the ID Token / Refresh Token. Now while using any other exposed API the user needs to send these tokens IDToken / RefreshToken , which we will validate using VerifiyIDToken().
The problem is that ID Tokens are short lived (1 hour expiration), and after that VerifyIdToken will fail. Now we don’t want API user to either call SignIn API again to get new ID Token / RefreshToken or to visit our website to get any such token.
Is there is any way we can refresh API’s user ID Token without asking him to sign-in again?
Manage Tokens on Web Client
The website client code can call User.getIdToken(forceRefresh?: boolean):
Returns the current token if it has not expired. Otherwise, this will refresh the token and return a new one.
This would need to be called each time a token is sent to the server.
Alternatively, user sessions may be managed via session cookies.
Manage Session Cookies
Firebase Auth provides server-side session cookie management for traditional websites that rely on session cookies. This solution has several advantages over client-side short-lived ID tokens, which may require a redirect mechanism each time to update the session cookie on expiration:
Improved security via JWT-based session tokens that can only be generated using authorized service accounts.
Stateless session cookies that come with all the benefit of using JWTs for authentication. The session cookie has the same claims (including custom claims) as the ID token, making the same permissions checks enforceable on the session cookies.
Ability to create session cookies with custom expiration times ranging from 5 minutes to 2 weeks.
Flexibility to enforce cookie policies based on application requirements: domain, path, secure, httpOnly, etc.
Ability to revoke session cookies when token theft is suspected using the existing refresh token revocation API.
Ability to detect session revocation on major account changes.
I can sign in users to Firebase using this HTTP API:
How do I sign out users, so that the Firebase idToken and refreshToken can no longer be used?
Also, how long is the refreshToken valid for?
If my user does not use my app for weeks, can I still use the refreshToken or will I need to get a fresh Google Sign In idToken and exchange it for a Firebase (idToken, refreshToken) pair via the /identitytoolkit/v3/relyingparty/verifyAssertion API?
I don't believe there is a sign out endpoint. You could try doing a redirect to https://accounts.google.com/Logout but I suspect that is signing out from all Google services which might not be a great idea.
The whole point of Refresh Tokens is that they can be used to access resources whether or not the user is present and signed in, so your comment "How do I sign out users, so that the Firebase idToken and refreshToken can no longer be used" is an oxymoron.
A Refresh Token is theoretically valid until a user specifically revokes it, but your app should code for the possibility that Google has expired it.
The client cannot directly revoke the ID token via the REST API, but both the Firebase Auth client SDKs (ex: Android) and the Auth Admin SDK do support it. So if your client platform isn't supported, but you are able to create a small server implementation (maybe through Firebase/Cloud Functions), you can create an HTTP endpoint that triggers ID token revocation.
Okay so in my iOS app I log the user into firebase, then get the jwt token. So now I have my server with an api which accepts an idtoken in the header of the GET.
What do I do here? Certainly I wouldn't be validating the JWT againt firebase on every single API call right? I mean its fast, but that adds latency with a second external check, no? How does one simply just decode that guy in C#? I have an Auth0 layer already and that decodes the JWT with my server-stored secret, but that same code doesn't work for the Firebase token.
Could it just be decoded then extract the user details from that, maybe just check expiry and if expiry > X months it's still okay?
In order to verify Firebase ID tokens and JWTs in general, you only make a network call on your server to get the public certs which are usually not updated for several hours. You could cache that and try to verify with an ID token and if it fails, only then, load the new public certs.
And yes, you must verify the ID token on each call especially since Firebase ID tokens expire after typically an hour and need to be refreshed continuously.