[iOS/Android] When to refresh firebase auth token

[Marcin Jekot]

Hi there.

I am using custom authentication, and issuing users with their firebase auth tokens at the time they login on our server. My question is about refreshing the firebase tokens.

The platform is native iOS and Android, and I am really really fuzzy at which point the app should request new ones from my server:

1) when the app starts

2) when the app is foregrounded

3) when the auth token expires

4) all of the above?

The thing that bothers me is that the app could be offline at any of those points and the refresh would fail, but if the app goes online later, firebase could have an expired token at this point? 

Our current logins never time out, and so I don't want the addition of firebase to disrupt the UX and log a user out, this should never happen. And to change the expiration timeout / session length to something really ridiculously long seems like a hack way of going about this.  I am sure there is a graceful way of solving this, and that I am just confused / looking in the wrong direction, so I would really appreciate some pointers. Is there an FAQ / doc about this somewhere that I am missing?

Thanks!!

-Marcin

[Rob DiMarco]

Hi Marcin -

I would generally caution against using authentication tokens that never expire, if only to lessen any risks associated with a temporarily compromised authentication token. In general, I would recommend having your clients detect when its token is nearing it's end, such as < 20% of it's life left, and request another from the server. The expiration time is exposed in the return value from authentication methods in the Firebase clients.

Hope that helps, and don't hesitate to let us know if we can help out further.

Rob

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/cf5fd6be-102c-45cc-bd70-7444a4cc10f5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Marcin Jekot]

Thanks for the advice Rob.

I guess this isn't a firebase specific question anymore, but a bit more of a general app dev one: but what is the best way to trigger a timed event like that? Is it Local Notifications for iOS, and and Alarm Manager for Android?

Many thanks again.

-Marcin

You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/eyp8Xg_00JQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAF-3uRsG7X9dAEtkBVHmS4B9moyYLEQqBXUeD-ciXQtu19_0fA%40mail.gmail.com.

[Jonny Dimond]

Hi Marcin,

using local notifications and alarm manager for Android is one possibility, but I think it's a bit overkill for this situation. For example, you don't necessarily want your app to start just because the token is about to expire. I would check on app start when the token is set to expire and refresh the token if it is going to expire sometime "soon". If your app is going to run for a long time, you can also just use a normal timer to check again later.

Jonny

[Marcin Jekot]

True, the app startup strategy makes a lot more sense.

Thanks again!!

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/beeb9efa-a14b-4e04-9c1a-aee15f741a6b%40googlegroups.com.