Firebase 3.x - Token / Session Expiration

Question

Does anyone know how long would it take for the token to expire? There no option now to set the token validity on the console.

Frank van Puffelen · Accepted Answer · 2022-10-25T18:57:09.523

60

Since May 2016 Firebase Authentication login sessions don't expire anymore. Instead they use a combination of long-lived account tokens and short-lived, auto-refreshed access/ID tokens to get the best of both worlds.

If you want to end a user's session, you can call signOut().

edited Oct 25 '22 at 18:57

answered May 27 '16 at 15:46

Frank van Puffelen

565,676
79
828
807

Frank, could you elaborate on the details? For instance, FB long-lived token expires in 60 days but auto-refreshed once a day when someone makes any request but will force login flow if no request is made. – pixelfreak May 28 '16 at 18:51
The latest release of Firebase Authentication gives mes this "[FirebaseDatabase] Authentication failed: expired_token (Auth token is expired)" – WYS Jun 09 '16 at 07:38
In the new Firebase, session only expires if you have a big changes in your account, let's say you change your password, etc. – shibapoo Jun 09 '16 at 10:22
1

My token expire every one hour, i have added SHA-1 in firebase console, I send the token to my custom server for verification. Could anyone help me why my expiry time is just one hour. – Bikash Oct 30 '16 at 03:54
1

It seems this has changed yet again, and now the tokens do expire after a while. – Incinerator May 16 '17 at 14:39
10

This hasn't changed. Login sessions don't expire. But the short-lived tokens (I think they're called ID tokens) are valid for only an hour. When you use a Firebase SDK, it auto-refreshes those short-lived tokens. – Frank van Puffelen May 16 '17 at 14:45
4

Since the ID tokens expire once an hour, how can we use them to authenticate with a custom server? I followed the directions on how to [verify id tokens](https://firebase.google.com/docs/auth/admin/verify-id-tokens) on my server, but now the server can't recognize a logged in user after only an hour passes. – django09 Jun 30 '17 at 03:16
2

options 1: have a response intercept and refresh the token if the token is invalid and remake the API call. – Giridhar Karnik Sep 16 '17 at 14:42

score 32 · Answer 2 · edited Nov 29 '16 at 05:47

32

Its does expire. After one hour logged in the token id expire. If you try to verify sdk returns a error "Error: Firebase ID token has expired. Get a fresh token from your client app and try again. See https://firebase.google.com/docs/auth/server/verify-id-tokens for details on how to retrieve an ID token."

Is There such a way to change expiration time to Firebase token, not custom token.

Anybody that know how this really works.

edited Nov 29 '16 at 05:47

hallmanitor

318
1
4
9

answered Nov 27 '16 at 18:05

Miguel Peguero

468
5
5

Any solutions running into this issue? – Lion789 Jan 16 '17 at 00:20
1

you could always use `currentUser.getIdToken()` but my problem is that this returns a promise :-/ I don't want to do async stuff in my request interceptors... – ProblemsOfSumit Sep 20 '17 at 08:44
1

@ProblemsOfSumit you can pass a boolean 'false' as a parameter to getIdToken to make it synchronous. – geeky_monster Sep 27 '19 at 10:57

score 7 · Answer 3 · edited Oct 26 '20 at 17:48

For anyone that is still confused, it is all explained in great detail here

If your app includes a custom backend server, ID tokens can and should be used to communicate securely with it. Instead of sending requests with a user’s raw uid which can be easily spoofed by a malicious client, send the user's ID token which can be verified via a Firebase Admin SDK (or even a third-party JWT library if Firebase does not have an Admin SDK in your language of choice). To facilitate this, the modern client SDKs provide convenient methods for retrieving ID tokens for the currently logged-in user. The Admin SDK ensures the ID token is valid and returns the decoded token, which includes the uid of the user it belongs to as well as any custom claims added to it.

the token still expires after one hour and this does not solve the issue — Andre Thiele, Jul 15 '21 at 16:31

score 6 · Answer 4 · answered Jul 25 '20 at 13:03

If the above answer is still confusing to you, This is what i did:

firebase.auth().onAuthStateChanged(async user => {
    if (user) {
        const lastSignInTime = new Date(user.metadata.lastSignInTime);
        const lastSignInTimeTimeStamp = Math.round(lastSignInTime.getTime() / 1000);
        const yesterdayTimeStamp = Math.round(new Date().getTime() / 1000) - (24 * 3600);
        if(lastSignInTimeTimeStamp < yesterdayTimeStamp){
          await firebase.auth().signOut()
          this.setState({
            loggedIn: false
          });
          return false;
        }
        this.setState({
          loggedIn: true,
          user
        });
      }
    })

Firebase 3.x - Token / Session Expiration

4 Answers4

Linked