Question about firebase authentication
954 views
Skip to first unread message
flaa...@gmail.com
Mar 12, 2019, 10:01:34 AM3/12/19
to Firebase Google Group
Hi all
(first post here)
I am configuring a site to use firebase authentication.
I am using firebase.auth().signInAndRetrieveDataWithEmailAndPassword to sign in users.
And i am using firebase.auth().onAuthStateChanged((user) to check if a user is logged in.
I am trying to configure so the user needs to (re)log in after a period of inactivity.
As i read, this should be the case (id tokens expire after an hour). But even after i don't log in for a few days, firebase.auth().onAuthStateChanged will always return true (unless user manually signed out)
Is there something i am missing?
Bassam
Mar 13, 2019, 3:45:39 AM3/13/19
to Firebase Google Group
Hey there,
Firebase sessions are indefinite. We don't keep track of user activity. Firebase ID Tokens are valid for one hour but can be refreshed endlessly. However, you could require the user to re-authenticate every certain period of time. Let's say every hour. However, you have to enforce that on your backend or via security rules. The ID token has an auth_time field which is the time the user authenticates. If you receive requests on the server side with auth_time < now - one_hour then you block access. On the client you would call firebase.auth().currentUser.reauthenticateWithCredential(firebase.auth.EmailAuthProvider.credential(email, password)) to get fresh tokens with updated auth_time.
You can also set some timer to signOut() the user and require them to sign-in again but you still need to enforce the check on the server as it is not guaranteed that will run (enforcement should be done server side).
Best regards,
Bassam
Bassam
Rob Sherling
Mar 13, 2019, 10:27:51 AM3/13/19
to Firebase Google Group
Hi Bassam,
https://www.googleapis.com/identitytoolkit/v3/relyingparty/getAccountInfo?key=<API_KEY>
It's interesting that you say that the ID Tokens are valid for one hour.
I was doing some probing, and the firebase rest api that issues ID tokens -
I was doing some probing, and the firebase rest api that issues ID tokens -
Happens to issue tokens that last for 2 weeks. Example, it's march the 13th, but it just issues a token that has an exp field of March 27th -
Token Here
Token Here
I can't seem to find why this is happening, and it's concerning - if logging directly into the endpoint gives a two-week id token, it makes it harder for me to control security.
Am I missing something, or is there a way to change that to one hour as well?
Also, if I update custom claims, will getting the user data via
Also, if I update custom claims, will getting the user data via
reflect the new claims?
Thank you!
Bassam
Mar 13, 2019, 1:39:34 PM3/13/19
to Firebase Google Group
Hey Rob, you are not using the REST API correctly. You need to pass {returnSecureToken: true} in the request to get a Firebase ID token. What you are getting is a legacy deprecated Google Identity Toolkit token.
Bassam
Rob Sherling
Mar 13, 2019, 11:00:35 PM3/13/19
to Firebase Google Group
Thanks!
Reply all
Reply to author
Forward
0 new messages