Firebase session invalidation

Question

I'm using custom tokens in my app and server for authentication. The old Firebase had an option to configure the session expiration time for all its tokens, so that when the session expires the client had to ask for a new token from the server, and thus creating a token regeneration cycle every given time.

I would like to have the same functionality with the new Firebase auth system.

The documentation states that the token expiry parameter is for the token itself only, and that the user remains signed in until he signs out or the session is invalidated.

1. How can I invalidate the session in order to trigger the onAuthStateChanged event so that I can ask my server for a new token?
2. Furthermore, when exactly does the onAuthStateChanged event fire? I have never had this callback execute.

Note

The getToken method in the Android SDK has an option to force-refresh the token, which generates a new token and signs the user in automatically. While this is an interesting option, how exactly can the app itself generate a new token without the server being involved is beyond me: the server is the one who has all the needed parameters to generate this token, including the private key that I get from the JSON file that's needed for custom tokens.

EDIT

An attempt to validate the app-generated tokens on the server side results in an invalid signature error.

Answer 1

how exactly can the app itself generate a new token without the server being involved is beyond me: the server is the one who has all the needed parameters to generate this token

That is correct, tokens are always generated server side. But Firebase Auth handles token renewal/regeneration transparently so there should be any additional work for you there.

How can I invalidate the session in order to trigger the onAuthStateChanged event so that I can ask my server for a new token?

Are you minting the tokens yourself?

If so use the exp claim on the token to define expiration, this will NOT trigger the onAuthStateChanged as the user is not actually changing state, you need to invalidate the session manually and handle token refresh.

From docs: this only controls the time when the custom token itself expires. But once you sign a user in using signInWithCustomToken(), they will remain signed in into the device until their session is invalidated or the user signs out.

the "invalid signature" error most probably is caused by a missing claim in the JWT.

If you are not minting your own JWT tokens

Then you should not be doing any work regarding token creation and refresh. Firebase will handle anything in background, you just need to use the Firebase SDK to validate on your server if the token is valid.

Furthermore, when exactly does the onAuthStateChanged event fire? I have never had this callback execute.

This is just an async callback to ensure you don`t call Firebase Auth while it's still being built. This will be called when the login status of the user changes (ej. you call loginWithProvider or logout). This changes are usually triggered by a user action but are handled asynchronously to ensure Firebase is completely setup to handle the change.