How to handle custom firebase token expiry in Firebase 3.x.x

Question

I have used \"signInWithCustomToken()\" to authenticate firebase user.

This token expires in 1 hour.

Firebase has recommended tok

Answer 1

There is a limitation with the Firebase custom token generation. Firebase custom auth token is limited to max 1Hr(3600sec).

exp The time, in seconds, at which the token expires. It can be at a maximum 3600 seconds later than iat.

If auth token expires every hour, its difficult for us to maintain the valid session all the time :(

When we use default Auth providers like (Google, Facebook, Email..); Firebase SDK will take care of refreshing your Auth token by default. But in custom authentication, Firebase SDK need to contact 3rd party server to fetch new token. Here only SDK is failing to refresh the token!

My workaround is, maintain a "last-token-fetch-time" info at local on every successful token fetch, so that we can refresh the token manually after one hour.

You can refer this issue log for more info,

1. https://github.com/firebase/quickstart-android/issues/31
2. In Firebase 9.0.0 API, how to check the user has valid Auth session or not?

Update:

Google updated their document,

exp (Expiration time): The time, in seconds since the UNIX epoch, at which the token expires. It can be a maximum of 3600 seconds later than the iat. (Note: this only controls the time when the custom token itself expires. But once you sign a user in using signInWithCustomToken(), they will remain signed in into the device until their session is invalidated or the user signs out.)

As document says, custom JWT token is valid for max 1Hr; so before it expires, authenticate your user with Firebase. After that session will remain active; It wont expire!

You can use below method to ensure that user has valid session,

public static boolean hasValidAuthToken() {
    return FirebaseAuth.getInstance().getCurrentUser() != null ? true : false;
}

Hope this would help you!