Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why can't we use getUid() to authenticate with your backend server in firebase authentication

In this code snippet (firebase doc) they have mentioned do not use user.getUid() to authenticate with your backend server. use FirebaseUser.getToken() instead.

FirebaseUser user = FirebaseAuth.getInstance().getCurrentUser();
if (user != null) {
    // Name, email address, and profile photo Url
    String name = user.getDisplayName();
    String email = user.getEmail();
    Uri photoUrl = user.getPhotoUrl();

    // The user's ID, unique to the Firebase project. Do NOT use this value to
    // authenticate with your backend server, if you have one. Use
    // FirebaseUser.getToken() instead.
    String uid = user.getUid();
}


getUid()    A unique user ID, intended as the user's unique key across all providers.   
getToken()  The Firebase authentication token for this session.

My requirement is.

  1. First I will register user with firebase authentication method (Email and password).
  2. I will save String uid = user.getUid(); in my own backend server once registration is successful.
  3. User credit information say user balance is saved in my own backend server as key user.getUid().
  4. User sign-in with Email and password and ask for his balance.
  5. I will get user.getUid() from firebase and match with my records, if match found returns balance to user.

They said getUid() is unique user id but Do NOT use this value to authenticate with your backend server.

Why so? Why can't we use getUid() to authenticate with your backend server??

like image 460
user3559471 Avatar asked Jun 22 '16 09:06

user3559471


1 Answers

The uid is a unique identifier for the user. So, while it identifies the user, it does not authenticate them.

A simple corollary is that my Stack Overflow ID is 209103. Knowing that, you can identify me. But to prove to Stack Overflow that you are Frank van Puffelen, requires that you know my credentials.

The ID of a user is quite often exposed in the interface. For example, if you click on my profile, you will see my ID. This is necessary for identifying me. If you would also use that same ID to authenticate, everyone who had seen your profile once could impersonate you on the site. Not a good idea when it comes to security.

like image 109
Frank van Puffelen Avatar answered Sep 27 '22 21:09

Frank van Puffelen