Is there any way to keep a person authenticated with firebase across subdomains

Question

I use firebase for authentication on my website and I want to keep the users auth session active across subdomains.

Unfortunately, firebase uses Local Storage to store the user's session. Which unfortunately is independent to each subdomain.

I already know that you can generate a JWT token using firebase from the server side, but then it doesn't allow the user to log out of the site because the user would still end up logged in other subdomains.

Answer 1

It appears Firebase now has support for cookies built in so you should be able to follow this new guide to use it across subdomains:

https://firebase.google.com/docs/auth/admin/manage-cookies

Answer 2

After having spent much longer then I intended to getting single-sign-in working across subdomains, I wrote up a blog post detailing how to accomplish this.

As a high level overview (which ignores the important security details):

1. We have three applications at different domains.

   • accounts.domain.com
   • app1.domain.com
   • app2.domain.com

2. We have three Firebase Functions

   • ...cloudfunctions.net/users-signin
   • ...cloudfunctions.net/users-checkAuthStatus
   • ...cloudfunctions.net/users-signout

In order to sign in:

1. Someone navigates to the accounts.domain.com app
2. They provide their authentication information
3. That authentication information is sent to our /users-signin cloud function which verifies the information and, if valid, sets a signed __session cookie which contains the user's UID and returns a success indication to the client.
4. On success, the client calls the /users-checkAuthStatus cloud function which looks for the signed __session cookie, extracts the user UID, and uses the UID and the firebase-admin SDK to mint a custom auth token which it returns to the client.
5. When the client receives this custom auth token, it uses it to sign in using the firebase javascript SDK.
6. When someone navigates to one of the other apps, say app1.domain.com, the app first checks to see if the person is already signed in using the firebase javascript SDK.
   1. If they are, awesome.
   2. If not, it calls the /users-checkAuthStatus cloud function which looks for the signed __session cookie and returns a custom auth token to the client if a valid __session cookie is found.
      • If a custom auth token is returned, the client uses it to sign the user in using the firebase sdk.
      • If a custom auth token is not returned, it means the user isn't authenticated. You can then optionally redirect them to the authentication app to sign in.

Again, this is a high level overview which ignores issues like cross-site-scripting attacks, actually signing out, etc. For more information, check out the blog post.