检测用户是否登录到子域 [英] Detect whether user is logged in to subdomain

问题描述

我们的新网站 app.example.com 使用 Firebase 身份验证.我们的一小部分常规 example.com 用户会付费订阅新网站，但大多数人会继续使用 example.com，在那里他们匿名使用该网站.

Our new site, app.example.com, uses Firebase authentication. A small subset of our regular example.com users will pay to subscribe to the new site but most will continue to use example.com, where they use the site anonymously.

Firebase 身份验证可以轻松保持 app.example.com 的登录状态，但这些特权用户可能不记得新域并继续访问 example.com.所以对于这些用户，我想检测他们是否登录并尽可能透明地重定向他们.

Firebase auth makes it easy to remain logged in to app.example.com, but these privileged users might not remember the new domain and continue to go to example.com. So for these users I would like to detect whether they are logged in and redirect them as transparently as possible.

我怀疑 example.com 无法访问 app.example.com 用户的登录状态.

I suspect that example.com cannot access the logged-in state of a user of app.example.com.

如果应用用户在 example.com 上也有一个帐户，这会有所帮助吗?在这种情况下，是否可以使用自定义声明来自动将他们登录到 app.example.com?

If an app user also had an account on example.com, could that help? In that case, could a custom claim be used to automatically log them in to app.example.com?

推荐答案

Firebase 身份验证不支持多域身份验证或类似 SSO 的内容.尽你所能实现基于 JWT 的自定义身份验证，主要依赖于 Firebase 身份验证.我已经通过多种方式做到了这一点，下面提到的身份验证流程最适合我:

Firebase Authentication does not support multi domain authentication or something like SSO. The best you can do you implement JWT based custom auth that primarily relies on Firebase Auth. I've done that in a couple of ways and the auth flow mentioned below works best for me:

1. 为 Firebase 身份验证选择一个域(这将是用户将通过 Firebase 直接登录的域)
2. 当用户访问您的一个子域时，例如本示例中的 app.domain.com，您会检查浏览器的 localStorage(或相应平台的任何本地存储)中是否存在任何令牌.如果是，则表示他们已登录.(稍后我会回到令牌)
3. 如果用户未登录子域，请转到 Firebase Auth 工作的域，使用 Firebase IdToken 调用您的服务器，验证并生成临时令牌并返回.确保将其存储在服务器端的数据库中.之后，将用户重定向回他们尝试使用查询参数中的新令牌登录的子域.例如，您的 URL 可能类似于:https://app.domain.com/login?temp_token=thatTempTokenGeneratedOnServerSide1234.
4. 从子域向您的服务器发出另一个包含该临时令牌的请求并对其进行验证(例如检查 UID 以及它是否已过期，以及创建令牌时用户的 IP 是否相同).
5. 生成另一个 JWT(最好是寿命长的)(你可能想看看 Rolling Token Auth 以提高安全性)并将其返回给客户端并将其存储在客户端上.理想情况下，此 JWT 将仅包含该用户的 UID.因此，每当用户从该子域向服务器发出任何后续请求时，请在请求标头中添加该令牌(或根据您的方便将其保存在 cookie 中)，然后在服务器端对其进行验证以处理数据.
6. 如果令牌已过期，请重复身份验证流程.

1. Select a domain for Firebase auth (this will be the domain where users will be logged in via Firebase directly)
2. When user visits one of your subdomain, let's say app.domain.com for this example, you check if there is any token present in the localStorage of browser (or any local storage of the respective platform). If yes, that means they are logged in. (I'll come back to the token later)
3. If the user ain't logged in on the subdomain, go to the domain where Firebase Auth works, make a call your server with the Firebase IdToken, verify that and generate a temporary token and return it. Make sure you store it in your database on server side. After that, redirect user back to the subdomain where they were trying to log in with the new token in query param. For example, your URL may look like: https://app.domain.com/login?temp_token=thatTempTokenGeneratedOnServerSide1234.
4. Make another request containing that temp token to your server from the subdomain and validate it (like check the UID and if it is expired and maybe if the IP of user is same when the token was created).
5. Generate another JWT (preferably one with long life) (You might want to look at Rolling Token Auth for better security) and return it to the client and store it on client. This JWT ideally would contain only the UID of that user. So whenever the user makes any subsequent requests to the server from that subdomain, add that token in request header (or keep it in cookies as per your convenience) then verify it on server side for processing the data.
6. If the token is expired, repeat the auth flow.

我已经使用了一段时间，没有发现任何问题.只需确保您阅读了访问令牌并刷新令牌以了解其工作原理.我会尽快添加流程图，同时随时提出任何问题.

I've been using this for a while and found no issues. Just make sure you read about the access tokens and refresh tokens about how that works. I'll try to add a flowchart asap meanwhile feel free to ask any questions.

这篇关于检测用户是否登录到子域的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！