发表新帖
发表新帖

Is there any way to keep a person authenticated with firebase across subdomains

后端 未结
关注
4 1022
鱼传尺愫
鱼传尺愫 2021-01-12 05:14

I use firebase for authentication on my website and I want to keep the users auth session active across subdomains.

Unfortunately, firebase uses Local Storage to sto

4条回答
  • 日久生厌
    日久生厌 (楼主)
    2021-01-12 05:34

    After having spent much longer then I intended to getting single-sign-in working across subdomains, I wrote up a blog post detailing how to accomplish this.

    As a high level overview (which ignores the important security details):

    1. We have three applications at different domains.

      • accounts.domain.com
      • app1.domain.com
      • app2.domain.com

    2. We have three Firebase Functions

      • ...cloudfunctions.net/users-signin
      • ...cloudfunctions.net/users-checkAuthStatus
      • ...cloudfunctions.net/users-signout

    In order to sign in:

    1. Someone navigates to the accounts.domain.com app
    2. They provide their authentication information
    3. That authentication information is sent to our /users-signin cloud function which verifies the information and, if valid, sets a signed __session cookie which contains the user's UID and returns a success indication to the client.
    4. On success, the client calls the /users-checkAuthStatus cloud function which looks for the signed __session cookie, extracts the user UID, and uses the UID and the firebase-admin SDK to mint a custom auth token which it returns to the client.
    5. When the client receives this custom auth token, it uses it to sign in using the firebase javascript SDK.
    6. When someone navigates to one of the other apps, say app1.domain.com, the app first checks to see if the person is already signed in using the firebase javascript SDK.
      1. If they are, awesome.
      2. If not, it calls the /users-checkAuthStatus cloud function which looks for the signed __session cookie and returns a custom auth token to the client if a valid __session cookie is found.
        • If a custom auth token is returned, the client uses it to sign the user in using the firebase sdk.
        • If a custom auth token is not returned, it means the user isn't authenticated. You can then optionally redirect them to the authentication app to sign in.

    Again, this is a high level overview which ignores issues like cross-site-scripting attacks, actually signing out, etc. For more information, check out the blog post.

    0 讨论(0)
 看不清?
提交回复
热议问题