Revoking Access Token - apigee

How can I Generate access token that is used by two #username but once first #username logs out it should be deactivate for that #username but active for other #username?If the first username again tries to login it need to generate access token again.

You can have a policy to invalidate the access token as soon as the user logs out.

Related

How can I get the anonymous access token after the user has logged in with an email account?

As part of my project, I need to send both the anonymous and the email access token to the backend.
Unfortunately, after the user logs in through the Firebase-UI, Firebase only returns the token for the newly logged-in user.
I could of course store the anonymous token, but it's possible that that would expire in the meantime. So is there a way to keep both the anonymous user as well the signed-in email user and get their token?
I need to send both the anonymous and the email access token to the backend.
You can do that, but separately. You cannot have a single user logged in with two different providers at the same time.
Unfortunately, after the user logs in through the Firebase-UI, Firebase only returns the token for the newly logged-in user.
That's the expected behavior. Since you can only read the token of the currently logged-in user.
but it's possible that that would expire in the meantime
The anonymous auth token that identifies the account doesn't persist when the user logs out, and unfortunately, there is no way to reclaim that token for the user. Firebase anonymous authentication helps you create and use temporary accounts to authenticate your users in your application. These temporary anonymous accounts can be used to allow users who haven't yet signed up for your app. If such an anonymous user decides later to sign up for your application, you can link their sign-in credentials to the anonymous account.
So is there a way to keep both the anonymous user as well the signed-in email user and get their token?
No.

Firebase resetting password without verifying the account

Is there a way for a user to reset his firebase password without actually verifying the account when resetting the password?
Initially when an account is created the "verified" in the userinfo is set to false, once the account is created we receive an email with the verify account url.
However, when the user "forgets his password", the password reset mail is send to the user and when he actually resets the password, the firebase userinfo "verified" is set to true.
E-Mail verification just confirms that the email belongs to that person by generally sending a link or so. Now if a user can access the link to reset password then they definitely own that email (unless someone else has access to their device).
If that's a strict requirement to not set emailVerified to true on verifying email then you'll have to implement your own logic using Firebase Admin SDK which would run on a Cloud function or custom server.

Firestore reauthenticate user

I'm using Delphi 10.4.2 and FB4D to do a mobile app.
The first time the user open the app, he create an account (mail / password).
Then he can call Firebase to get documents where he is the owner (settings Firestore rules).
The user can close the app.
When he open it, I didn't want ask him for the password, and I didn't want to store the password on a config file to login him.
I prefer to store a token, and then ask for refresh when it is expired.
When a user is login, I can refresh token like that :
if fAuth.NeedTokenRefresh then
fAuth.RefreshToken(OnTokenRefresh, onUserError);
The problem is that the second time he open the app, FAuth isn't initialized. Unless I store mail / pwd and login user, what I didn't want to do.
Does it's possible ?
If someone have same question, you can login a user with the last refresh token you get :
FraSelfRegistration.Initialize(FConfig.Auth, OnUserLogin, 'last_token');
You need to add the uses FB4D.SelfRegistrationFra and init FConfig like that :
FConfig := TFirebaseConfiguration.Create(ApiKey, ProjectID, '', FirebaseURL);
So you can login user without store any password
Never save the user's email and password in your app!
I do this in the demo application only to accelerate the first step in learning firebase/FB4D.
Instead, save the RefreshToken as implemented in the self-registration frame.
Good success with FB4D!

Regenerate ( refresh ) Token on Browser

The scenario is, we have a website which for some web notification we're using web push and after user login into the website we check that if he/she granted notification permission to us we don't ask it ,if not we ask to enable notification, The generated Token is per browser I mean if the user log-out and another user login to our website previous Token available for the new logged in user, So if we want to notify the previous user, the new user got our notification.
The simple solution is on Logout delete the token and after each login we should ask user to grant permission again to us but it's bothering user, I have an idea when user login to the site, we check that previous user was herself/ himself, we do nothing , but if there is another user, without asking to grant permission again(while we asked them before) we refresh the token , I mean regenerate another Token for him/her and save that Token in our backend, My question is How can we regenerate the Token without asking again to grant Notification permission in the Browser?
You can't regenerate the token without revoking permission.
However you can use the same strategy that we have used for Pushpad:
each token (i.e. browser) in your database is present only once
each token has at most one user ID associated to it
when the user logs out you remove the user ID from the token
when the user logs in you add the user ID to the current token
when you need to send notifications you target specific user IDs

Firebase ID Token change when password reset

I use Firebase ID Tokens to show data on my site when someone is logging in.
I save the token in a cookie on the client side and when the client accesses the website it takes the token from his cookie file and sends it to my backend server.
I would like to remove all ID Tokens when a password is reset so all the logged in clients using that username and password would disconnect.
Is this option valid? If so how can you do it? They don't seem to mention it in their docs.
When a user's password is reset, changed or the associated email is updated, Firebase Auth will invalidate all existing sessions for that user for security reasons. This effectively invalidates that user's ID token from the perspective of Firebase Auth backend. The refresh token will also not be able to issue a new ID token.
Also I agree with Scott. You should use currentUser.getIdToken() to get the ID token instead of storing it yourself. This API takes care of refreshing the ID token for you when it expires.

Resources