如何在多个位置同步Firebase用户?(扩展名+网站) [英] How to sync firebase users across several locations? (extension + website)
问题描述
我正在研究chrome扩展(提供主要功能)和互补的网站(主要是与配置文件和结算相关的功能),均以firebase后端为后盾.
I'm working on chrome extension (provides main functionality) and the complementary website (mostly profile and billing related functionality) both backed with firebase backend.
我想知道是否有可能实现以下方案:
I'm wondering if it's possible to implement the below scenario:
- 用户使用firebase身份验证(带有firebaseUI lib)以扩展名登录
- 我存储了可用于重新验证该用户身份的令牌(是否有这样的令牌?)
- 当用户打开网站时,我会使用令牌自动登录该用户.
虽然扩展程序和网站都有其登录/注册表格,但我想知道是否可以在扩展程序中登录用户并以某种方式自动在网站上登录该用户,从而不必输入凭据两次?
While both the extension and the website has their login/signup forms I'm wondering if it's possible to login user in the extension and to somehow automatically login that same user on the website so they don't have to enter their credentials twice?
到目前为止,我一直希望可以使用如下所示的内容:
So far I was hoping that I could use something like below:
firebase.auth().currentUser.getIdToken(true).then(function(idToken) {
console.log("idToken = ", idToken)
})
然后像这样使用 idToken ,因为如果我理解正确,那是AWT:
And then to use that idToken like this, since if I understand correctly, it's an AWT:
firebase.auth().signInWithCustomToken(idToken).catch(function(error) {
// Handle Errors here.
var errorCode = error.code;
var errorMessage = error.message;
console.log("signInWithCustomToken: error = ", error)
})
但是会出现以下错误:
code: "auth/invalid-custom-token"
message: "The custom token format is incorrect. Please check the documentation."
我可以在 https://jwt.io/上解析令牌,该令牌显示所有用户信息,但最后它说无效签名"
I can parse the token on https://jwt.io/ which shows all the user information but in the end it says "invalid signature"
所以我想这个令牌只能用于检查身份验证(例如 admin.auth().verifyIdToken(idToken)),而不能用于登录用户.我说的对吗?
So I guess this token can be only used to check authentication (like admin.auth().verifyIdToken(idToken)) but not to login user. Am I right?
我知道我可以创建自定义令牌,但是有什么简单的方法可以解决该问题,并且仅使用firebase funstionality从一个位置登录用户?(当然不存储用户名/密码)
I know I can create a custom token, but is there any straightforward way to workaround that and to login user from one place only using firebase funstionality? (of course without storing username/password)
推荐答案
您不能使用Firebase ID令牌登录.您可以执行以下操作:
You can't sign in with a Firebase ID token. What you can do is the following:
-
将用户会话保留在chrome扩展程序中,并从中运行所有经过身份验证的请求.每当要发送请求时,都可以使用
postMessage(带有来源验证)与应用中的扩展程序进行通话.有了此,您不必担心会话同步,也不会存储或将Firebase令牌存储或传递到Web应用程序或每个可以访问该扩展程序的Web应用程序.
Keep the user session in the chrome extension and run all authenticated requests from there. Use
postMessage(with origin verification) to talk with extension from app anytime a request is to be sent. With this you don't have to worry about session synchronization and no Firebase tokens are stored or passed to the web app or every web app that can access the extension.
添加一个 postMessage API,以在验证请求的来源之后从扩展名中获取ID令牌.然后,您可以使用ID令牌从网络应用发送请求.(安全性低于1,但更易于实现,并且会话存储在一个地方).
Add a postMessage API to get an ID token from the extension after verifying the origin of the request. You can then send the request from the web app with the ID token. (less secure than 1 but easier to implement and session is stored in one place).
创建一个使用ID令牌并返回自定义令牌的HTTP端点.这将 verifyIdToken ,然后使用 createCustomToken
Create an HTTP endpoint that takes an ID token and returns a custom token. This would verifyIdToken and then create a corresponding custom token for that user using createCustomToken provided by Admin SDK. You then postMessage that from chrome extension to the web page after verifying origin and signInWithCustomToken with that custom token in that web app. This is the least secure as you are providing an endpoint to exchange a short lived ID token with an indefinite session. You will also deal with synchronization issues (user signs out from chrome extension, you have to sign out from websites, etc).
这篇关于如何在多个位置同步Firebase用户?(扩展名+网站)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
