Forcing reauthentication with Firebase OAuth logins

[Luke Hutchison]

Is there a way to force users to enter their Facebook password each time they log in with Firebase? The required OAuth property is {auth_type: 'reauthenticate';} : https://developers.facebook.com/docs/facebook-login/reauthentication  The Firebase authentication API for Facebook doesn't seem to expose this option.

There are two main situations for wanting to force reauthentication:

(1) Where security is a bigger consideration than normal for the Firebase app;

(2) Where non-technical users are sharing a computer, and may not realize that to switch logins in the Firebase app, they have to log out of the Firebase app, then log out of Facebook, then re-log in to the Firebase app.

(Other OAuth login methods would benefit from this option too.)

[Rob DiMarco]

Hi Luke -

Thanks for reaching out with the question. Facebook's 'auth_type' flag is not currently supported by our login service, but I'll take a look and see what it would take to add this functionality, and how it could be generalized across the other OAuth providers. I'll post back on this thread when I have an update for you.

Thanks!

Rob

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/6500f202-f34b-4767-8862-3fe00bf370c4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Luke Hutchison]

Thanks Rob. Another feature I would love to see is a simple mechanism for email address validation. The Firebase OAuth API for Facebook (and probably also for other OAuth providers) does not always return an email address. Some OAuth providers return both an email address and a flag indicating whether or not that email address has been validated by the provider.

If a validated email address is required for account creation, with the current Firebase auth system, you have to provision your own server just to safely validate a user-provided email address after OAuth sign-on. However, adding email validation to Firebase should not be much extra work, since the code is already written to support account creation via email address + password.

The implementation would accept a flag in the Firebase OAuth login API that specifies that a valid email address is required. Then in the OAuth callback, before returning authorization back to the user app, Firebase would check for the presence of a validated email address in the OAuth provider's response. If not present, Firebase would show its own redirect page or popup asking for an email address, and each subsequent attempt to log in would stop at that page (allowing the user to change the email address on subsequent attempts, if necessary, to have the validation link sent to a different address) until the validation link is clicked, after which login would be completed and the "login successful" state would be returned to the app. With the "email address required" flag set, the app would always be guaranteed to be provided with a valid email address on login success. 

You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/guggC_ryxgA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAF-3uRuRyQNecgaR%3Dq5zohhTLH%2B%3Dr5kctQYUZiEQi2OQnuWbYA%40mail.gmail.com.

[Jacob Wenger]

Hey Luke,

Thanks for the feedback. We are actively working on email verification and appreciate your thoughts. We haven't considered implementing email verification via the OAuth flow (and to be honest, that seems super tricky), but we will most definitely have it for email / password authentication in the near future.

Jacob

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAHLUFOk%2BF5Bdhh%2BPDnrGxd3RMPXF5P44P9Q3yetF553O0UR%2BzA%40mail.gmail.com.

[Luke Hutchison]

Hi Jacob and Rob,

Here's another suggestion of a variant of login that could be very useful to add to Firebase, and probably would not require much additional work to support: password-less login via email:

https://medium.com/the-story/signing-in-to-medium-by-email-aacc21134fcd

http://sakurity.com/blog/2015/04/10/email_password_manager.html

You enter your email address, and you're emailed a link that contains a login token that is exchanged for a session token in a cookie when you click on the link. It's basically "OAuth without the need for an OAuth server", in the sense that the token exchange happens over email and HTTP requests, with no need for a 3rd party OAuth server.

I hope you can consider adding this too!

Thanks,

Luke

[Jacob Wenger]

Hey Luke,

Kato already responded to you about this and we will look into it. We don't have any immediate plans to introduce this feature but I wouldn't be surprised if we do in the future.

Jacob

--

You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAHLUFO%3DqCb_0UOv7LTe2E9VBxxF9Lbmp%2Bv%2BEWQ5kcM_r-t5cTA%40mail.gmail.com.

[Luke Hutchison]

Oops, my apologies, I totally forgot I created that other thread, and it looks like Kato's response somehow was never delivered to my inbox. Sorry for the spam, and thanks for alerting me to his response.

On Mon, Jul 27, 2015 at 9:21 AM, Jacob Wenger <ja...@firebase.com> wrote:

Hey Luke,

Kato already responded to you about this and we will look into it. We don't have any immediate plans to introduce this feature but I wouldn't be surprised if we do in the future.

Jacob

On Fri, Jul 24, 2015 at 5:28 PM, Luke Hutchison <luke....@gmail.com> wrote:

Hi Jacob and Rob,

Here's another suggestion of a variant of login that could be very useful to add to Firebase, and probably would not require much additional work to support: password-less login via email:

https://medium.com/the-story/signing-in-to-medium-by-email-aacc21134fcd

http://sakurity.com/blog/2015/04/10/email_password_manager.html

You enter your email address, and you're emailed a link that contains a login token that is exchanged for a session token in a cookie when you click on the link. It's basically "OAuth without the need for an OAuth server", in the sense that the token exchange happens over email and HTTP requests, with no need for a 3rd party OAuth server.

I hope you can consider adding this too!

Thanks,

Luke

On Tue, Jul 14, 2015 at 12:22 AM, Jacob Wenger <ja...@firebase.com> wrote:

Hey Luke,

Thanks for the feedback. We are actively working on email verification and appreciate your thoughts. We haven't considered implementing email verification via the OAuth flow (and to be honest, that seems super tricky), but we will most definitely have it for email / password authentication in the near future.

Jacob

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAHLUFO%3DqCb_0UOv7LTe2E9VBxxF9Lbmp%2Bv%2BEWQ5kcM_r-t5cTA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/guggC_ryxgA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAGcMwsBMcsXW5c0M%2B6XcWjDpVqgEVdHjcaTVJekysjwi000yew%40mail.gmail.com.