Refreshing an provider's accessToken, recap

[Matthew Huebert]

I'm building an app in which users sign in via GitHub, and I use the GitHub accessToken to make API requests on behalf of users.

A re-cap of how oauth access tokens are currently handled:

• A provider accessToken (eg. from GitHub, valid for API calls) is provided only once, the first time a user signs in to Firebase via that provider, and not in the `onAuthStateChanged` callback. (forum link, 2016)
• Firebase tokens are refreshed automatically, but oauth accessTokens are not. After some period of time, the accessToken will expire, while the Firebase account will remain signed-in & the Firebase token is continually refreshed. No attempt is made by Firebase to keep provider tokens refreshed, although Firebase's servers do receive a refresh token from the provider during the oauth flow. Automatic refreshing of these tokens is something that Firebase has considered in the past but not implemented. (forum link, 2014)

For apps that need to use the accessToken of a provider, the options are:

1. Use an api of the provider to directly sign in and get a token / keep it refreshed, and then sign in to Firebase via `.signInWithCredential` using the provider token (stackoverflow link, 2016)
2. Detect when a provider token is stale on your own, and then trigger a new sign-in flow with Firebase (via a redirect or popup) to get a new accessToken. 

If there is any update to this state of affairs, or corrections to what I've said, please let me know :).

FWIW, it would be really nice if Firebase would either keep provider access tokens refreshed behind the scenes, or make it easy to detect when they are stale and refresh manually without a redirect or popup (ie. using the refresh token that is stored on Firebase's servers).

[Bassam]

Hey Matthew, there is no update on this. We did add a reauthenticateWithPopup/Redirect since then, though we do not recommend using this as a way to obtain fresh OAuth credential. UX would be pretty bad.

I will relay your request to the Firebase Auth team. Managing OAuth provider access tokens would be something new to Firebase Auth. Firebase Auth has always focused on authentication and not authorization, but I personally do see the value in your feature request.

Best regards,

Bassam

[de...@broadinstitute.org]

I'd +1 this request. Currently, we have to use Google OAuth tokens with an internal authorization system (https://github.com/broadinstitute/sam). However, we also plan to use Firebase-issued JWTs to authenticate against our (Firebase-hosted) APIs.

While refreshing JWTs happens automatically, we do have to 1) record accessToken upon signInWithRedirect() with Google provider and 2) check for the presence and expiration of accessToken and run signInWithRedirect() again if these are not satisfied. It would be nice to have a more generic way to refresh accessToken, even just for Google provider.