I have implemented Firebase custom authentication using the firebase-admin library in Python on my server.
The first time I use the token, it works fine and I'm able to authenticate.
But if I restart my node.js application a few minutes later, I get the error:
The custom token format is incorrect. Please check the documentation.
Which I believe means that it has expired, even though I never logged out.
This does not seem to be working:
Once you've called authWithCustomToken successfully, you stay logged in forever (until you sign out explicitly) so you should be able to get devices to have a long-lived authentication session without minting long-lived custom tokens.
How do I explicitly save the authentication between application restarts? Or do I have to mint a new custom token on every restart?
Custom tokens are only valid for an hour. However, I'd suspect your caught error code to be something different. I'm personally on a quest to figure out how to best keep these tokens refreshed, but I do wonder if a deployed instance restarting might be an alternate cause of tokens being invalidated.
Related
This is my first GAE app so please let me know if my approach is wrong. I have knowledge of Flask and have used Flask-Login before for my authentication needs. With GAE, it seems they suggest to use Firebase. Mine is not a SPA but I wanted to use Firebase UI and let it handle all the user authentication part.
Looking at the examples here https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/appengine/standard_python3/building-an-app/building-an-app-3/static/script.js#L42 , i can verify the token server side using the Python Admin SDK. https://firebase.google.com/docs/auth/admin/verify-id-tokens#python or a more developed example https://firebase.google.com/docs/auth/admin/manage-cookies#python . I am able to do this but I am a bit confused about the flow later on.
In the same example, they suggest to store the token (or some part of claims) as secured cookie. This is similar to how Flask Login also stores the cookie and then we verify the cookie in every request - but since in the case the backend is local REDIS or any storage, the validation is not expensive. But when using Firebase, it seems we will have to call Firebase for every api call to validate the token.
Otherwise, it could that be that user has changed their password or reset something in their Google/Facebook provider and we wont know at our server till we validate things at the provider end. This also prevents us from developing locally offline (or we write some logic to specially handle local development).
Whats the best way to solve this?
You can use the Firebase Admin SDK to manage users or to manage authentication tokens, according to the official documentation – marian.vladoi
I'm looking at using Firebase authentication (essentially JWT) with my React and express application and I wondering about the sanity/safety of mixing it with long-term session management.
The reason I'm thinking about this is because Firebase is free and very easy to integrate. However, verifying the JWT token server-side is an expensive call that I don't think is supposed to be performed on every request. Firebase offers a secure cookie, but there is a max ttl of 2 weeks. My app doesn't need that much security and I think the majority of my users would be annoyed if I asked them to re-authenticate every 2 weeks so I'm looking at a better solution.
So here's my thought:
User authenticates with Google/Firebase and front-end gets the token.
Front-end sends token to back-end and back-end verifies token with Google and checks that log in time was recent.
Back-end then creates or gets user from my db and sets the user id in a long lasting express session and all subsequent requests use that (except in the case of something rash like deleting your account where I would require the token again).
Essentially this is using the token to do the initial authentication/verification, but afterwards using the standard express session.
As far as I can tell, this really isn't different from what passport does after authenticating. But I would appreciate some verification that this is relatively safe given that it's over HTTPS and I protect against CSRF.
The biggest problem I can see is that it's not as safe as the token method in the case of theft because of the token's shorter lived nature, but is it any worse than using passport and having to store my user credentials myself?
So is this safe or stupid?
Thanks!
I'm creating an app using firebase authentication and I'm still new to authentication and authorization. What I have already done is implement firebase authentication in the front end, when a user signs up successfully it will request to the backendend and verify its idToken firebase admin. When it's verified, the user's data will then be stored in the database together with the uid returned in verifying the idToken.
All is working but I have no clear idea on the best practices on authentication, am I on the right track? From what I've read, authenticated client should also pass a token in the header.
Should I return the uid to the client and use it in the header? If so, should the backend use it to check if there's a matching token in the database every client request?
I'm really quite lost with the log in flow standards, any answers are much appreciated thank you.
All right, so the first thing to understand is that Firebase operates on a client-side paradigm, meaning that you actually don't need to and should carefully consider whether you need to conduct Firebase operations server side. In principle, you can do everything on javascript on the web browser. or Android app. or iOS app.
If you do decide to move some functions server side, next best solution is to do them as hosted cloud functions in firebase too. See:
Callable cloud functions
If for some reason you need to deploy and host your own code, then you can continue as you are, doing auth client side, passing the token, decoding the token with node admin, and manually checking the user permissions as applicable.
Like the Facebook application, you only enter your credentials when you open the application for the first time. After that, you're automatically signed in every time you open the app. How does one accomplish this?
There's a commom line in all auto-login implementations
Upon an initial login, a token is received and stored on the client side
Upon subsequent visits, if token is available on the client side, the server resolves the identity and logs in automatically
Now concrete implementation variations can be numerous. The token can be a session ID (encripted or not), OAuth token, custom token, username and password should be avoided. Storing token can be on within a browser cookie, browser local storage, can have a server counter-part. Security is the major concern. Generally about the topic you can read more here https://softwareengineering.stackexchange.com/questions/200511/how-to-securely-implement-auto-login
You have an interesting explanation of how does Stackoverflow do it https://meta.stackexchange.com/questions/64260/how-does-sos-new-auto-login-feature-work.
I am using Symfony2.0 and FOSOAuthServerBundle, which implements OAuth2, for managing my APPs clients access to my PHP server.
Everything works perfectly, any token generation, refreshing, etc, etc...
One of the gotten effects is that anytime I enter the APP, I don't need to re-enter my credentials, as the token is still valid or, else, I refresh it using the proper API method.
Typical behavior and all perfect so far.
Now I need to develop a "Logout" button in my APP in order to invalidate that user's token and avoid the use of any refresh_token for him. Sort of revoke his token and/or credentials. In other words, really simulate a Logging Out from the server causing the user to re-enter his credentials next time he gets into the APP.
What OAuth2 sets up for this? Is it a standard behavior with its own API method? Or should I override any behavior in order to getting it?
In case someone's stuck on same thing, I had similar questions, but it turned out to be a conceptual mistake.
Perhaps this may help you:
https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/issues/236
By definition, oAuth2 is STATELESS, so, it does not make sense loging out from an oauth server. To do that, just, destroy the access Token in client side app (We suppose here that you have the control of the app).
But, when a third-party app is connected to your server, you can force the logout mechanism by removing all access tokens that was given by your server to that user of client application. So, when app wants to use one of the destroyed tokens, it will get a 401 HTTP RESPONSE (The access token provided is invalid). Note that if the application has saved the user password in its local storage, it can login automatically to your server without asking the user to enter its password. so, destroying Access Tokens in server side is not a sure method.