Is there any way to keep a person authenticated with firebase across subdomains

Question

I use firebase for authentication on my website and I want to keep the users auth session active across subdomains.

Unfortunately, firebase uses Local Storage to sto

Answer 1

this is correct. Firebase only supports single host origin sessions. Firebase Auth is looking into supporting cookies. For now there is no easy solution for this. Feel free to request this feature at the Firebase forum: https://groups.google.com/forum/#!forum/firebase-talk

For now, if you really need this, here is one relatively easy option: Create an endpoint that takes a Firebase ID token and basically returns a custom token for its underlying user (you would need to use the Admin SDK to do this, you verify then ID token, get the user UID and then mint a custom token). The subdomain where the user signed in would pass the ID token to the other subdomain where the user is still not authenticated (you can use iframe cross origin postMessage to pass it, or just save that ID token in a *.domain.com policy). The custom token can then be used to signInWithCustomToken with the custom token, effectively signing in the same user on this page.

This is risky though as the endpoint could expose a vulnerability (it transforms a short lived token to an indefinite one). If the ID token is leaked, an attacker can basically sign-in as the user exploiting this endpoint.