问题
According to Firebase documentation, a refresh token is only for advanced scenarios that require explicitly refreshing tokens.
In which cases should I use that token, and what are the advantages of using it?
private afAuth: AngularFireAuth
this.afAuth.auth.currentUser.getIdToken()
.then(idToken => // Gives me a different token from key name called pa);
Also, I'm not sure the difference between refreshToken and the returned token from getIdToken(). Currently, I'm using the latter for HTTP requests.
Note: getIdToken returns a JWT token used to identify the user to a Firebase service.
回答1:
Refreshtoken:
A refresh token for the user account. Use only for advanced scenarios that require explicitly refreshing tokens.
GetIdToken:
Returns a JWT token used to identify the user to a Firebase service. Returns the current token if it has not expired, otherwise this will refresh the token and return a new one.
The refreshtoken is used in the following situations:
The current user's access token is refreshed. This case can happen in the following conditions:
- The access token expires: this is a common situation. The refresh token is used to get a new valid set of tokens.
The user changes their password: Firebase issues new access and refresh tokens and renders the old tokens expired. This automatically expires the user's token and/or signs out the user on every device, for security reasons.
The user re-authenticates: some actions require that the user's credentials are recently issued; such actions include deleting an account, setting a primary email address, and changing a password. Instead of signing out the user and then signing in the user again, get new credentials from the user, and pass the new credentials to the reauthenticate method of the User object.
more info here: https://firebase.google.com/docs/auth/users
回答2:
Adding to the above answer, make sure you have the Token Service API enabled for your project. From what I've read so far, firebase Auth SDK for browsers manages the part of using the refresh token when the access token expires (access token expires every 60mins). This will require the SDK to call a secure token google endpoint. The Token Service API lets you exchange either an ID token or a refresh token for an access token and a new refresh token. My suggestion to you is based on an issue faced by someone before and you can find more about it here.
If you’re looking to manage sessions on the backend side, you’ll require to store the refresh token in your system (database maybe). This is because the firebase SDK does not have a persistent storage mechanism for a server. You can check the code for that here.
Also, if you more inclined more towards a backend solution for session-management, I'll suggest going with a solution that provides refresh token rotation. It basically uses two tokens (access and refresh tokens) which change over time and this change also allows us to detect token theft. This method is also suggested in IETF's RFC 6749.
If you want to have a look at some solutions based on this rotating refresh token idea and some other good features like token theft detection, check out this product: Supertokens.
来源:https://stackoverflow.com/questions/48599030/firebase-when-should-i-use-refreshtoken