Firebase身份验证在1小时后过期 [英] Firebase auth expires after 1 hr
问题描述
我能够允许用户使用电子邮件和密码登录Firebase.我遵循了以下说明: https://firebase.google.com/docs/reference/rest/auth/#section-sign-in-email-password
I am able to allow users to log in to Firebase using email and password. I followed these instructions: https://firebase.google.com/docs/reference/rest/auth/#section-sign-in-email-password
但是,似乎在1个小时后,身份验证已过期,我无法再使用我的应用了.有人知道我可以延长那个小时吗?我已阅读多篇有关非常相似问题的文章,但找不到清晰的答案. IT似乎有人认为有一种方法可以获取重新认证令牌或类似的东西,但仍然没有明确的答案.
However, after 1 hr it seems the auth expires and I can't use my app anymore. Does anybody know how I can extend that hour? I have read MULTIPLE posts with very similar questions, but I can't find a clear answer. IT seems some people think there is a way to obtain a reauth token or something like that, but still no clear answer.
推荐答案
管理用户会话
Firebase身份验证会话存在很长一段时间.每次用户登录时,用户凭据都会发送到Firebase身份验证后端,并交换Firebase ID令牌(JWT)和刷新令牌. Firebase ID令牌的寿命很短,并且持续一个小时;刷新令牌可用于检索新的ID令牌.刷新令牌仅在以下情况之一发生时过期:
Firebase Authentication sessions are long lived. Every time a user signs in, the user credentials are sent to the Firebase Authentication backend and exchanged for a Firebase ID token (a JWT) and refresh token. Firebase ID tokens are short lived and last for an hour; the refresh token can be used to retrieve new ID tokens. Refresh tokens expire only when one of the following occurs:
- 用户已删除
- 用户被禁用
- 检测到该用户的主要帐户更改.这包括密码或电子邮件地址更新之类的事件.
- The user is deleted
- The user is disabled
- A major account change is detected for the user. This includes events like password or email address updates.
在Web客户端上管理令牌
网站客户端代码可以调用 User.getIdToken(forceRefresh ?: boolean ):
返回当前令牌(如果尚未过期).否则,这将刷新令牌并返回一个新令牌.
Returns the current token if it has not expired. Otherwise, this will refresh the token and return a new one.
每次将令牌发送到服务器时都需要调用此方法.
This would need to be called each time a token is sent to the server.
或者,可以通过会话cookie管理用户会话.
Alternatively, user sessions may be managed via session cookies.
Firebase Auth为依赖会话cookie的传统网站提供服务器端会话cookie管理.与客户端短暂的ID令牌相比,该解决方案具有多个优点,后者可能每次需要使用重定向机制来在到期时更新会话cookie:
Firebase Auth provides server-side session cookie management for traditional websites that rely on session cookies. This solution has several advantages over client-side short-lived ID tokens, which may require a redirect mechanism each time to update the session cookie on expiration:
- 通过基于JWT的会话令牌(只能使用授权的服务帐户生成)来提高安全性.
- 无状态会话cookie,它具有使用JWT进行身份验证的所有好处.会话cookie具有与ID令牌相同的声明(包括自定义声明),从而使对会话cookie可执行相同的权限检查.
- 创建会话cookie的能力,其自定义到期时间为5分钟到2周.
- 根据应用程序要求(域,路径,安全性,
httpOnly等)强制执行cookie策略的灵活性. - 当怀疑使用现有的刷新令牌吊销API盗窃令牌时,可以吊销会话cookie.
- 能够检测到主要帐户更改后的会话撤销.
- Improved security via JWT-based session tokens that can only be generated using authorized service accounts.
- Stateless session cookies that come with all the benefit of using JWTs for authentication. The session cookie has the same claims (including custom claims) as the ID token, making the same permissions checks enforceable on the session cookies.
- Ability to create session cookies with custom expiration times ranging from 5 minutes to 2 weeks.
- Flexibility to enforce cookie policies based on application requirements: domain, path, secure,
httpOnly, etc. - Ability to revoke session cookies when token theft is suspected using the existing refresh token revocation API.
- Ability to detect session revocation on major account changes.
这篇关于Firebase身份验证在1小时后过期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
