问题
I have used "signInWithCustomToken()" to authenticate firebase user.
This token expires in 1 hour.
Firebase has recommended token expiration to 1 hour. If we modify the expiry while creating custom token using "php-jwt" library, firebase throws exception "The custom token format is incorrect. Please check the documentation".
While searching for solutions, I found following thread- "Firebase Android Authentication failed: expired_token (Auth token is expired)"
But refreshed token returned by "onTokenRefresh()" doesn't work for me.
What will be the procedure to refresh this custom token?
OR
Is there a way to set manual expiry to custom token?
回答1:
There is a limitation with the Firebase custom token generation. Firebase custom auth token is limited to max 1Hr(3600sec).
exp The time, in seconds, at which the token expires. It can be at a maximum 3600 seconds later than iat.
If auth token expires every hour, its difficult for us to maintain the valid session all the time :(
When we use default Auth providers like (Google, Facebook, Email..); Firebase SDK will take care of refreshing your Auth token by default. But in custom authentication, Firebase SDK need to contact 3rd party server to fetch new token. Here only SDK is failing to refresh the token!
My workaround is, maintain a "last-token-fetch-time" info at local on every successful token fetch, so that we can refresh the token manually after one hour.
You can refer this issue log for more info,
- https://github.com/firebase/quickstart-android/issues/31
- In Firebase 9.0.0 API, how to check the user has valid Auth session or not?
Update:
Google updated their document,
exp (Expiration time): The time, in seconds since the UNIX epoch, at which the token expires. It can be a maximum of 3600 seconds later than the iat. (Note: this only controls the time when the custom token itself expires. But once you sign a user in using signInWithCustomToken(), they will remain signed in into the device until their session is invalidated or the user signs out.)
As document says, custom JWT token is valid for max 1Hr; so before it expires, authenticate your user with Firebase. After that session will remain active; It wont expire!
You can use below method to ensure that user has valid session,
public static boolean hasValidAuthToken() {
return FirebaseAuth.getInstance().getCurrentUser() != null ? true : false;
}
Hope this would help you!
回答2:
The SDK will take care of keeping the tokens up to date IF YOU ARE SETUP correctly. For more info The custom tokens are only used to start a SESSION. So you have to have hour to use a custom token to SIGN IN. Once you are signed in and your Firebase Admin account and app configuration is setup correctly, the SDK can communicate back and forth with the Firebase back-end to keep the tokens up to date. Once you sign out with FirebaseAuth.signout(), you will need a new custom token to sign back in if it has been over 1 hour.
回答3:
Something like this is a way to check the Token and see if its expired. You can then mint a new one
public async Task<string> GetIdTokenAsync()
{
// Get current time in seconds from Epoch
var secondsSinceEpoch = DateTimeOffset.UtcNow.ToUnixTimeSeconds();
// We have already minted a token for this session, so check if we need a new one
if (this.idToken != null)
{
// Check to see if current token is expired or will expire soon
var idTokenExpiration = JwtDecoder.TokenExpirationTime(this.idToken);
if (idTokenExpiration > (secondsSinceEpoch - 60L))
{
return this.idToken;
}
}
// No id token for this session, or we have an id token, but its expired, so mint a new one
this.idToken = await auth?.CurrentUser?.GetIdTokenAsync(true);
return this.idToken;
}
回答4:
You can get refreshed token using this code
FirebaseInstanceId.getInstance().getToken();
FirebaseInstanceId is my Class Name change it according to you.
来源:https://stackoverflow.com/questions/38350843/how-to-handle-custom-firebase-token-expiry-in-firebase-3-x-x