Best Practice for authentication sign out?

[Sparkle Tech]

Hello,

I'm testing Firebase authentication, and have it working with multiple providers, including Google Sign In, Facebook Login, and Email Link Authentication. My question is about signing out the player. 

I sign them out from Firebase using:

firebaseAuth.signOut()

But they remain signed in to their auth provider (Facebook , Google etc).

Is it best practice to also sign them out of their auth provider - using that providers SDK Sign Out method?

Thanks

Paul

[Sam Stern]

Hey Paul,

That's correct.  Firebase does not manage the session with the original identity provider, so you have to sign out separately.  If you use FirebaseUI we handle this for you. 

Sam

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/e2fc3439-9d85-493c-88bb-6e6bf1765c44%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Sparkle Tech]

Thanks Sam

[Ankitsinh Parmar]

how to logout manually from google  ???

[Kato Richardson]

Hello Ankitsinh,

Firebase Authentication doesn't control third party sign in tokens and you can't sign them out using a Firebase token or API call. It probably doesn't make sense to sign someone out of their Gmail app when they close your app. So no, as a general rule you shouldn't fiddle with their OAuth account.

☼, Kato

☼, Kato

--

You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/e7773e00-a0db-4b14-a39b-eb84b7b6f4e6n%40googlegroups.com.

--

Kato Richardson |

Developer Programs Eng |

kato...@google.com |

775-235-8398

[Shaiwal Singh]

Hi,

Im facing a similar concern from my users.  There are at least a couple of scenarios where the user would prefer that the sign out on the auth provider also get called:

- User is using a public device

- User wants to use a different profile on the auth provider to use with firebase auth

Is there a way that based on the current firebase auth context (token or other context) to “reliably” get the auth provider that was used to create the firebase auth token/context in the first place?  I highlight reliably, because from within flutter I am able to get the auth provider from firebase if the user had just logged in.  Though I am not able to get the auth provider if the user quits the app and uses the saved firebase token to authenticate.  In the latter case the provider is identified as “firebase”

Thx

Shaiwal

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CADypTEYdKxHyRi8f5dutybRMSUDcrMi3Zr-VpiFHcEbCOfn1Jg%40mail.gmail.com.

[Kato Richardson]

Again, Firebase doesn't manage third party OAuth credentials. So you'll need to store those during the login workflow before you hand them off to Firebase. One thing you could try would be to put the token on the Firebase Auth ID token using a custom claim, but there's plenty of other simple ways to capture that and reference it later.

☼, Kato

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/F7B7032C-8698-4948-A6AB-5CAA818B50C3%40gmail.com.

[Shaiwal Singh]

Thanks Kato,

What is the purpose of firebase.User.providerData?  Get a user's provider-specific profile information

I understand your recommendation and agree about it from a separation of responsibility perspective.  But it's unclear what the purpose and the semantics associated with firebase.User.providerData given that background.

Shaiwal

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CADypTEbOMmk%3DU8spxtovCqCh-ovHimBoFEMyo2o0PV-eRWzkeg%40mail.gmail.com.

[Nick Medrano]

I don't understand why you say you can't sign out from OAuth Providers. I am using Google sign in on my app and the user can sign out of that by the following: 

this.$fire.auth.signOut()  // I am using NuxtJS firebase module here

Is this not what the OP is wanting to do? 

[Kato Richardson]

Great questions.

I can't remember the nuances of when providerData is populated and when it's not, but honestly it's not terribly reliable as I remember it. We pretty much stuff whatever the third party API gives back into there for reference, but that's entirely up to their API contract and changes over time. We're also inconsistent in storing it. I believe it's also different in the UserInfo attached to signIn*() vs onAuthStateChanged()'s user info. 

But I haven't looked at this in a while and there's probably someone more authoritative on the topic; it also could have improved in recent versions.

☼, Kato

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/D252F840-950E-43E4-B5E7-F254610BDDE1%40gmail.com.