有什么方法可以让一个人通过跨子域的火力点验证身份吗？ [英] Is there any way to keep a person authenticated with firebase across subdomains

问题描述

我在我的网站上使用firebase进行身份验证，并且希望保持用户auth会话在子域名之间有效。

不幸的是，firebase使用本地存储来存储用户的会话。不幸的是每个子域都是独立的。

我已经知道可以从服务器端使用Firebase生成一个JWT令牌，但是它不允许用户注销网站，因为用户仍然会登录其他子域名。

解决方案

这是正确的。 Firebase只支持单个主机来源会话。 Firebase Auth正在考虑支持cookie。目前还没有简单的解决方案。请在Firebase论坛中随时申请此功能： https://groups.google .com / forum /＃！forum / firebase-talk 现在，如果你真的需要这个，这里有一个比较简单的选择：
创建一个采用Firebase ID令牌的终端，基本上会为其基础用户返回一个自定义令牌（您需要使用Admin SDK执行此操作，然后验证ID令牌，获取用户UID，然后为自定义令牌创建一个自定义令牌） 。用户登录的子域会将ID令牌传递给用户仍未通过身份验证的其他子域（可以使用iframe跨源postMessage传递它，也可以将该ID令牌保存在* .domain.com策略中） 。然后自定义标记可以用于使用自定义标记signInWithCustomToken，有效地签署此页面上的同一用户。

这是有风险的，虽然端点可能会暴露一个漏洞（它将短暂的令牌转换为不确定的令牌）。如果ID令牌泄露，攻击者可以基本上以用户利用该端点的身份登录。

I use firebase for authentication on my website and I want to keep the users auth session active across subdomains.

Unfortunately, firebase uses Local Storage to store the user's session. Which unfortunately is independent to each subdomain.

I already know that you can generate a JWT token using firebase from the server side, but then it doesn't allow the user to log out of the site because the user would still end up logged in other subdomains.

解决方案

this is correct. Firebase only supports single host origin sessions. Firebase Auth is looking into supporting cookies. For now there is no easy solution for this. Feel free to request this feature at the Firebase forum: https://groups.google.com/forum/#!forum/firebase-talk

For now, if you really need this, here is one relatively easy option: Create an endpoint that takes a Firebase ID token and basically returns a custom token for its underlying user (you would need to use the Admin SDK to do this, you verify then ID token, get the user UID and then mint a custom token). The subdomain where the user signed in would pass the ID token to the other subdomain where the user is still not authenticated (you can use iframe cross origin postMessage to pass it, or just save that ID token in a *.domain.com policy). The custom token can then be used to signInWithCustomToken with the custom token, effectively signing in the same user on this page.

This is risky though as the endpoint could expose a vulnerability (it transforms a short lived token to an indefinite one). If the ID token is leaked, an attacker can basically sign-in as the user exploiting this endpoint.

这篇关于有什么方法可以让一个人通过跨子域的火力点验证身份吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！