Firebase身份验证:一小时后无法刷新管理员自定义令牌 [英] Firebase Auth : Admin custom tokens cannot be refreshed after one hour
问题描述
我认为Firebase Admin SDK缺少一个非常重要的功能(或者可能是其文档).
I think the Firebase Admin SDK is missing a very important function (or maybe its documentation).
TL; DR:如何使用Admin SDK刷新自定义令牌?
TL; DR : How can you refresh custom token with the Admin SDK?
文档( https://firebase.google.com/docs/auth /admin/manage-sessions )说:
Firebase身份验证会话存在很长一段时间.每次用户 登录后,用户凭据将发送到Firebase身份验证 后端并交换Firebase ID令牌(JWT)并刷新 令牌. Firebase ID令牌的寿命很短,并且持续一个小时;这 刷新令牌可用于检索新的ID令牌.
Firebase Authentication sessions are long lived. Every time a user signs in, the user credentials are sent to the Firebase Authentication backend and exchanged for a Firebase ID token (a JWT) and refresh token. Firebase ID tokens are short lived and last for an hour; the refresh token can be used to retrieve new ID tokens.
好的.但是如何?没有提及如何用新的自定义令牌替换刷新令牌.关于如何撤消刷新令牌等的文档很多.
Ok. But how? There is no mention how to replace the refresh token with a new custom token. There are lots of documentation regarding how you can revoke a refresh token etc...
但是有一个REST api函数说, ( https://firebase.google.com/docs/reference /rest/auth/#section-refresh-token )
There is however a REST api function that says, (https://firebase.google.com/docs/reference/rest/auth/#section-refresh-token)
将刷新令牌交换为ID令牌您可以刷新Firebase ID 通过向HTTP POST请求发出HTTP POST请求来获得令牌 securetoken.googleapis.com端点.
Exchange a refresh token for an ID token You can refresh a Firebase ID token by issuing an HTTP POST request to the securetoken.googleapis.com endpoint.
但是,您从此API调用中获得的access_token(JWT)也不被接受.而且JWT的格式甚至不相似.以下是检索(解码)的自定义令牌的两个示例: 一世.使用Admin SDK的admin.auth().createCustomToken(uid)方法
However, the access_token (JWT) you get from this API call is not accepted neither. And the format of the JWT's are not even similar. Below are two samples of custom tokens retrieved (decoded) : i. with the admin.auth().createCustomToken(uid) method of Admin SDK
{
"uid": "9N5veUXXXXX7eHOLB4ilwFexQs42",
"iat": 1521047461,
"exp": 1521051061,
"aud": "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
"iss": "XXX@appspot.gserviceaccount.com",
"sub": "XXX@appspot.gserviceaccount.com"
}
ii.与 https://securetoken.googleapis.com/v1/token?key= [ API_KEY] 调用
{
"iss": "https://securetoken.google.com/XXX",
"aud": "XXX",
"auth_time": 1521047461,
"user_id": "9N5veUXXXXX7eHOLB4ilwFexQs42",
"sub": "9N5veUXXXXX7eHOLB4ilwFexQs42",
"iat": 1521051719,
"exp": 1521055319,
"email": "jabbar@gmail.com",
"email_verified": false,
"firebase": {
"identities": {
"email": [
"jabbar@gmail.com"
]
},
"sign_in_provider": "password"
}
}
有关此主题的问题很多.也许Firebase团队的某人可以一劳永逸地回答它.请参阅下面的链接
There are plenty of questions raised about this topic. Maybe someone from Firebase team can answer it once and for all. See the links below
谢谢您的时间!
How to use the Firebase refreshToken to reauthenticate?
如何处理自定义Firebase 3.xx中的Firebase令牌到期
从iOS生成的Firebase中处理一小时的令牌到期,该令牌用于节点身份验证
推荐答案
You need to exchange a custom token for an Id Token and a Refresh token, this is mentioned here. The call should include the custom token and the property "returnSecureToken" as true. If this property is not added or is false, you will only get the ID Token.
执行完此操作后,您可以使用刷新"令牌来获取新的ID令牌.请参阅文档.
After doing that, you can use the Refresh token to get a new ID Token once it expires. See the documentation.
自定义标记和ID标记都是短暂的(1小时),但是目的不同,这就是格式不同的原因.您可以使用ID令牌进行经过身份验证的调用,而自定义令牌仅用于启动会话并获取ID令牌和刷新令牌.
Both, the custom token and the ID token, are short lived (1 hour) but the purpose is different, that is why the formats are different. You use the Id Token to make authenticated calls, whereas the custom token is only used to start the session and get an ID Token and Refresh token.
请记住,如果您使用的是SDK,则整个工作都将由SDK处理.
Keep in mind that if you are using an SDK, this whole work is being handled by the SDK.
这篇关于Firebase身份验证:一小时后无法刷新管理员自定义令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
