Menu
I have used "signInWithCustomToken()" to authenticate firebase user.
This token expires in 1 hour.
Firebase has recommended token expiration to 1 hour. If we modify the expiry while creating custom token using "php-jwt" library, firebase throws exception "The custom token format is incorrect. Please check the documentation".
While searching for solutions, I found following thread- "Firebase Android Authentication failed: expired_token (Auth token is expired)"
But refreshed token returned by "onTokenRefresh()" doesn't work for me.
What will be the procedure to refresh this custom token?
OR
Is there a way to set manual expiry to custom token?
568
The time, in seconds since the UNIX epoch, at which the token expires. It can be a maximum of 3600 seconds later than the iat . There is currently no way to use a longer expiration period on Firebase Authentication ID tokens. This user is first on the weekly Google Cloud leaderboard.
Firebase ID tokens are short lived and last for an hour; the refresh token can be used to retrieve new ID tokens. Refresh tokens expire only when one of the following occurs: The user is deleted. The user is disabled.
By default, a session ends (times out) after 30 minutes of user inactivity. There is no limit to how long a session can last.
There is a limitation with the Firebase custom token generation. Firebase custom auth token is limited to max 1Hr(3600sec).
exp The time, in seconds, at which the token expires. It can be at a maximum 3600 seconds later than iat.
If auth token expires every hour, its difficult for us to maintain the valid session all the time :(
When we use default Auth providers like (Google, Facebook, Email..); Firebase SDK will take care of refreshing your Auth token by default. But in custom authentication, Firebase SDK need to contact 3rd party server to fetch new token. Here only SDK is failing to refresh the token!
My workaround is, maintain a "last-token-fetch-time" info at local on every successful token fetch, so that we can refresh the token manually after one hour.
You can refer this issue log for more info,
Update:
Google updated their document,
exp (Expiration time): The time, in seconds since the UNIX epoch, at which the token expires. It can be a maximum of 3600 seconds later than the iat. (Note: this only controls the time when the custom token itself expires. But once you sign a user in using signInWithCustomToken(), they will remain signed in into the device until their session is invalidated or the user signs out.)
As document says, custom JWT token is valid for max 1Hr; so before it expires, authenticate your user with Firebase. After that session will remain active; It wont expire!
You can use below method to ensure that user has valid session,
public static boolean hasValidAuthToken() {
return FirebaseAuth.getInstance().getCurrentUser() != null ? true : false;
}
Hope this would help you!
120
The SDK will take care of keeping the tokens up to date IF YOU ARE SETUP correctly. For more info The custom tokens are only used to start a SESSION. So you have to have hour to use a custom token to SIGN IN. Once you are signed in and your Firebase Admin account and app configuration is setup correctly, the SDK can communicate back and forth with the Firebase back-end to keep the tokens up to date. Once you sign out with FirebaseAuth.signout(), you will need a new custom token to sign back in if it has been over 1 hour.
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
