为什么我们不能在Firebase身份验证中使用getUid()与您的后端服务器进行身份验证 [英] Why can't we use getUid() to authenticate with your backend server in firebase authentication

问题描述

在他们提到的此代码段(firebase文档)中，未使用user.getUid()对您的后端服务器进行身份验证.改用FirebaseUser.getToken().

In this code snippet (firebase doc) they have mentioned do not use user.getUid() to authenticate with your backend server. use FirebaseUser.getToken() instead.

FirebaseUser user = FirebaseAuth.getInstance().getCurrentUser();
if (user != null) {
    // Name, email address, and profile photo Url
    String name = user.getDisplayName();
    String email = user.getEmail();
    Uri photoUrl = user.getPhotoUrl();

    // The user's ID, unique to the Firebase project. Do NOT use this value to
    // authenticate with your backend server, if you have one. Use
    // FirebaseUser.getToken() instead.
    String uid = user.getUid();
}


getUid()    A unique user ID, intended as the user's unique key across all providers.   
getToken()  The Firebase authentication token for this session.

我的要求是.

1. 首先，我将使用Firebase身份验证方法(电子邮件和密码)注册用户.
2. 我将保存String uid = user.getUid();注册成功后，在我自己的后端服务器中进行访问.
3. 用户信用信息说，用户余额作为关键user.getUid()保存在我自己的后端服务器中.
4. 用户使用电子邮件和密码登录并要求其余额.
5. 如果找到的匹配项将余额返还给用户，我将从firebase中获取user.getUid()并与我的记录进行匹配.

他们说getUid()是唯一的用户ID，但请勿使用此值向您的后端服务器进行身份验证.

They said getUid() is unique user id but Do NOT use this value to authenticate with your backend server.

为什么呢?为什么我们不能使用getUid()对您的后端服务器进行身份验证?

Why so? Why can't we use getUid() to authenticate with your backend server??

推荐答案

uid是用户的唯一标识符.因此，虽然它可以识别用户，但不会对他们进行身份验证.

The uid is a unique identifier for the user. So, while it identifies the user, it does not authenticate them.

一个简单的推论是，我的堆栈溢出ID为209103.知道了这一点，就可以识别出我.但是要向Stack Overflow证明您是Frank Van Puffelen，需要您知道我的证书.

A simple corollary is that my Stack Overflow ID is 209103. Knowing that, you can identify me. But to prove to Stack Overflow that you are Frank van Puffelen, requires that you know my credentials.

用户的ID通常会在界面中公开.例如，如果单击我的个人资料，您将看到我的ID.这对于识别我很有必要.如果您还使用相同的ID进行身份验证，则曾经看过您个人资料的每个人都可以在网站上冒充您.关于安全性，这不是一个好主意.

The ID of a user is quite often exposed in the interface. For example, if you click on my profile, you will see my ID. This is necessary for identifying me. If you would also use that same ID to authenticate, everyone who had seen your profile once could impersonate you on the site. Not a good idea when it comes to security.

这篇关于为什么我们不能在Firebase身份验证中使用getUid()与您的后端服务器进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！