sub/domain authentication

[My Name Is]

Hi

Would it be possible to let users sign up on a subdomain (mypages.domain.com) and then transfer that authenticiation with them when they move to www.domain.com?

And by the same, let them at a later visit simply sign in to that account when they are on www.domain.com and move on to the subdomain when they wish without being logged out?

[Bassam]

Hey there,

Multi-subdomain Auth state persistence is not yet supported. You would need to implement some mechanism to share that state securely between subdomains.

It would be helpful if you can provide more information on your use case. Do you plan to use other Firebase services like Realtime database or Firestore, etc on these different subdomains or are you using your own backend/database and need a session management solution for that?

Best regards,

Bassam

[Jonas Frid]

I'm interested in this, too.

I have two apps, one for authors and one for readers (author.mydomain.com / reader.mydomain.com).

Ideally, I'd like a user to only have to sign in once when they move between the domains.

Best regards,

Jonas 

[Stephan Smith]

I am interested in the same feature. 

[Christian Gambardella]

I'd like to see this feature as well.

We have two different systems that cannot be on the same host. We want to share the same header (with logged in state) between both hosts.

[Christian Gambardella]

I’ve found this library and did some tests with it.

https://www.npmjs.com/package/iframe-portal

This provides an iframe on the authenticated origin which will then allow your other origins to talk to the iframe using postMessage.

I’ve added the portal server on the origin where I’m logged in.

It’s mostly a blank document that listens to `firebase.auth().onAuthStateChanged`.

The user is still present on the portal server page.

Now my plan would be to allow the portal server to do an api request to my cloud function and pass back a token for tokenAuthentication.

Then the other origin website would use that to login.

I’ll let you know if it works.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/b471b60b-857b-4ef6-89e7-454cf225bf6b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[R Aponte]

Did that iframe postMessage technique work for you? I'd love to implement similar functionality, and came across the suggestion here: https://stackoverflow.com/a/45067299

[Christian Gambardella]

Hey it stopped working after safari made changes to prevent user tracking. The iframe cannot access its own indexed db when in an iframe.

https://stackoverflow.com/a/50889815/1224625

[and...@ethicaljobs.com.au]

We are very interested in this use-case. Having a single sign in domain to manage auth accross multiple apps (the same as google does) would be amazing!

accounts.myapp.com - would manage auth for:

app1.myapp.com

app2.myapp.com

app3.myapp.com

myapp.com

[Andrew Mclagan]

Thats what I'm actually asking. 

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/b268e3be-142d-46e6-aff4-b31949266f38%40googlegroups.com.

[Ensys Corp. on Google Cloud]

you have start auth with the root domain in that case..

...

Tamzid Hussain Khan

Cloud Partner Team

Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States

[Jonas Frid]

You mean that this is already possible?

You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/LL4p41s4a4I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAJj4U4Evm5dqNOhz%3Dq6VDy%2BoREr9Ov41QPVfbnX3-Dwy2%2Bn66A%40mail.gmail.com.

[Romel Gomez]

This is currently possible? 

auth.example.com  >>  login here    [Angular App] 

   account.example.com                      [Angular App] 

   dashboard.example.com                 [Angular App]  

   appX.example.com                          [Angular App] 

 

As alternative I thinking in implement an lambda to handle this case in this way: 

1) After the client login successfully in auth.example.com, get an IdToken

firebase.auth().currentUser.getIdToken(/* forceRefresh */ true).then(function(idToken) {
  // Send token to your backend via HTTPS
  // ...
}).catch(function(error) {
  // Handle error
});

ref: https://firebase.google.com/docs/auth/admin/verify-id-tokens

2) Set an HEADER with the token and Redirect to account.example.com (app 2)  

3) if the user the app 2 is not logged, check the HEADER for the token    

4) Send the token to the lambda or backend via HTTPS

5) Verify the token in the lambda  

# id_token comes from the client app (shown above)

decoded_token = auth.verify_id_token(id_token)
uid = decoded_token['uid']

ref: https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_the_firebase_admin_sdk

6) Create a new token using firebase admin, and return it.  

uid = 'some-uid'

custom_token = auth.create_custom_token(uid)

ref: https://firebase.google.com/docs/auth/admin/create-custom-tokens#create_custom_tokens_using_the_firebase_admin_sdk

7) Sing in using custom token on the app2 client 

firebase.auth().signInWithCustomToken(token).catch(function(error) {
  // Handle Errors here.
  var errorCode = error.code;
  var errorMessage = error.message;
  // ...
});

If this approach is O.K don't introduces security issues?  

PD: I have old django app, and I'm using the strangler pattern to migrate the current users accounts, the strangler facade will be auth.example.com that will call to django rest framework to create the session to. I doing good with the approach here? 

[Bassam]

Hey Romel, we don't support cross domain/subdomain authentication.

Your solution has multiple issues. Here are a few:

The step where you "Set an HEADER with the token and Redirect to account.example.com (app 2) " is subject to session fixation where an attacker can trick an unsuspecting user to inject the attacker's token to an unsuspecting user's session.

Also you don't set time limits on this. Since a Firebase session is indefinite, you need to only allow the exchange of ID token (that is recently authenticated) to custom token within a small window after authentication. Otherwise any leaked token for a session that is quite old can be exchanged for a custom token.

Bassam

[John Carroll]

So after much fiddling I've gotten Firebase Authentication to work across subdomains. I wrote up a blog post giving a high level overview about how to do it. It's not super easy, but it's also not super hard. Definitely a pain point in my Firebase adoption experience though.

Anyone interested can read more here: https://dev.to/johncarroll/how-to-share-firebase-authentication-across-subdomains-1ka8

On Monday, January 22, 2018 at 6:26:32 PM UTC-8, My Name Is wrote:

[will]

Thanks for your post, John. It would be nice if Firebase could support it natively, though.

[Joe Bay]

Hey all, 

Does this look like something firebase will add in the future? I've looked into the workaround it just seems a bit excessive and territory I rather not mess with.

Thanks! 

On Monday, January 22, 2018 at 6:26:32 PM UTC-8, My Name Is wrote:

[Ke Deng]

Hey Joe,

Try these resources to see if they help: https://stackoverflow.com/questions/18492576/share-cookie-between-subdomain-and-domain and https://divshot.com/blog/static-apps/cookies-and-cors/

Best,

Ke

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/baf0a841-4576-41ec-9619-0f45d2b37ecc%40googlegroups.com.