-
Notifications
You must be signed in to change notification settings - Fork 373
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FR] auth: Allow expiry to be specified in .createCustomToken #1016
Comments
I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight. |
I realise this API change will probably need to go through the API council or something like |
+1 Good and needed idea |
@bojeil-google this is really a product decision. WDYT? Should we expose an option to make the expiry time configurable? |
Ok, I checked with some folks. I think we can allow a range from [5min, 1hour] with 1 hour being the default. |
@bojeil-google do you want to start an API proposal or something for this? |
@lsirac has some bandwidth to work on the API proposal this quarter. |
@bojeil-google if it helps I've rebased by original PR #1017 to fix any conflicts (its almost been a year, but luckily there weren't many!) and also set the minimum expiry to 5 mins as per your comment. Hopefully it might be of some eventual use...! |
No chance we can have the 1 hour max increased? |
Yeah, the internal service we use only allows 1 hour max and they are unlikely to change it. I would also agree with that from a security perspective. |
Understood. Do you have any advice on implementing apiKey-like auth since custom tokens don't seem to be a good fit for this use case? |
@alexcastillo did you ever figure out how to implement apiKey-like auth with FIrebase? This is something I'm curious about as well. |
I ended up implementing a custom OAuth workflow with the help of this library: https://github.com/chrisvxd/oauth2-firebase-auth Plus additional work, which you can find in this pull request: chrisvxd/oauth2-firebase-auth#4 Good luck. |
@bojeil-google any updates on the internal review? |
any updates on this, would be really useful :) thanks! |
FIY: @prameshj @renkelvin |
Come on, someone check the buganizer (or whatever y'all are using now) and tell the community. We need the ability to extend the custom tokens beyond an hour. |
Having the same issue I am trying to implement CI/CD workflow based on my login credentials with firebase. The feature actually is not simple to implement from google side.
In addition to these things firebase team need to introduce a scope to these tokens in order to have only access to a specific parts of the system like IAM roles in AWS for example. So i am probably assuming that these feature will not be introduced unless firebase create OAuth like service where we could define our Scope and custom tokens. The same problem appears to be happening if we want to create a Single Sign On button from our website For example "Login with MyWebsite" in order to do that we need to be able to create OAuth redirect to a particular website and create token which will then be used in third party app for signing in with "Login with MyWebsite" button. I am thinking that this will not land even in 5+ years in firebase so we need to find different solution to our usecase. If you have any recommendations i would love to read them! Cheers guys ! |
This is about end-user authentication, if you want to automate your deployments, e.g. with Cloud Build or CircleCI, look into service account credentials, which are exactly for that use-case to authenticate against Google servers. If you want to build your own CI tool and your customers use your own CI tool, the way they'd need to authenticate against your server would be with the ID and refresh tokens.
You can create your own JWT token where you specify your own expiry, and then have an API that checks your own JWT token for validity and whether it's expired/revoked. When your own JWT token is valid, you can create a custom token for using it immediately!
You can add custom claims to your token which will then be part of the Firebase ID token. |
@lahirumaramba @prameshj @renkelvin any updates here? :) |
This issue been on-going for the last 3 years, not to mention people were asking for this since 2018 ? |
maybe next week @ponez |
+1 lmao In the end I just made my own token which is used as an intermediary token to generate a custom token afterwards, but it would've been nice to not have to do this. |
It's been over 6months 💀 |
@pragatimodi mind taking a look? |
ok so it's not closed either I don't like long lived tokens. And for my use case 3600 secs is waaay too much -- would be great to reduce it in a simple way. Use case is -feel free to yell if there are much better way to do this- Logging on to a "sister" app using the same Firebase auth. Specifically, use case is going from a web or mobile-native app to a support web site hosted on a different domain, in 1 click:
Longevity for this use case while maximizing eavesdropping/valid tokens floating around for long periods in time would in my mind be something like 5 to 10 seconds tops. Not opposed to minting custom tokens for this - totally doable, but maybe it's easier to do the reduce expirytime portion of this issue? |
Is your feature request related to a problem? Please describe.
It would be good if you could specify the duration of time you would like the login token to be valid for. For our use at least, the result of
.createCustomToken
is mostly used immediately after being provided to the client, so we'd like to have a very short expiry time.Describe the solution you'd like
Update
.createCustomToken
or a new method.createCustomTokenWithOptions
that takes an expiry.Describe alternatives you've considered
Using the details from create custom tokens using a third-party JWT library, but this seems a bit redundant when the SDK is so close to providing what is needed.
The text was updated successfully, but these errors were encountered: