Firebase Auth - Length of Sessions

[michae...@smartdata.net]

Hello,

I am building a mobile app for a client. They want the user to log in once and then basically never have to reauthenticate again. I see that the docs (https://firebase.google.com/docs/auth/admin/manage-sessions) say that sessions are long-lived and that there is a refresh token that lives a long time and an ID token that has a short life. So I expect that the ID does expire frequently but the client can use the refresh token to get a new one.

Does the mobile app have to refresh the id token before it expires or can it always get a new token if it has a refresh token still?

Also, in general, how long do sessions last? Auth0 describes their session length as 30/3: 30-day sessions but with a 3-day window of inactivity. Is Firebase Auth similar?

Thanks,

Mike

[Samuel Stern]

Hi Mike,

Firebase Auth sessions work exactly how you described, and they basically live forever (on a device) if you don't change anything.  The ID tokens expire every hour, but the auth SDK silently refreshes them for you proactively so you never see this expiration if you're authenticating to Realtime Database, Cloud Firestore, Cloud Storage, etc.  The refresh token lives forever unless the user account is deleted, disabled, or has a password change.

- Sam

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/8e7118e4-cced-4809-b9e4-114599a9c67d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[mic...@visor.com]

Hi Sam,

 

Firebase Auth sessions work exactly how you described, and they basically live forever (on a device) if you don't change anything.  The ID tokens expire every hour, but the auth SDK silently refreshes them for you proactively so you never see this expiration if you're authenticating to Realtime Database, Cloud Firestore, Cloud Storage, etc.  The refresh token lives forever unless the user account is deleted, disabled, or has a password change

Is there a way to override this behavior? I would like to set a shorter refresh token expiry than forever. After a significant period of inactivity (say 12 to 24 hours), we'd prefer to tradeoff user convenience for additional security.

If it's not supported first-class, maybe there's a recommended workaround for achieving this result?

Thanks,

Mickey

[Samuel Stern]

There's no first-class support for this.

Adding in +Bassam Ojeil who will be able to recommend a workaround for this behavior, if one exists.

- Sam

--

You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/33925b4d-718d-48d7-91b4-8547d8ab7626%40googlegroups.com.

[Bassam]

Hey Mickey,

You can enforce that from the security rules side of things. The ID token has an auth_time field with the time the user authenticated. You can reject access when current time is greater than auth_time + threshold. This will translate as a permission denied error client side, requiring user reauthentication.

Best regards,

Bassam