How to handle custom firebase token expiry in Firebase 3.x.x

Question

I have used \"signInWithCustomToken()\" to authenticate firebase user.

This token expires in 1 hour.

Firebase has recommended tok

Answer 1

You can get refreshed token using this code

FirebaseInstanceId.getInstance().getToken();

FirebaseInstanceId is my Class Name change it according to you.

Answer 2

Something like this is a way to check the Token and see if its expired. You can then mint a new one

public async Task<string> GetIdTokenAsync()
{
  // Get current time in seconds from Epoch
  var secondsSinceEpoch = DateTimeOffset.UtcNow.ToUnixTimeSeconds();

  // We have already minted a token for this session, so check if we need a new one 
  if (this.idToken != null)
  {
    // Check to see if current token is expired or will expire soon
    var idTokenExpiration = JwtDecoder.TokenExpirationTime(this.idToken);
    if (idTokenExpiration > (secondsSinceEpoch - 60L))
    {
      return this.idToken;
    }
  }

  // No id token for this session, or we have an id token, but its expired, so mint a new one
  this.idToken = await auth?.CurrentUser?.GetIdTokenAsync(true);
  return this.idToken;
}

Answer 3

The SDK will take care of keeping the tokens up to date IF YOU ARE SETUP correctly. For more info The custom tokens are only used to start a SESSION. So you have to have hour to use a custom token to SIGN IN. Once you are signed in and your Firebase Admin account and app configuration is setup correctly, the SDK can communicate back and forth with the Firebase back-end to keep the tokens up to date. Once you sign out with FirebaseAuth.signout(), you will need a new custom token to sign back in if it has been over 1 hour.

Answer 4

There is a limitation with the Firebase custom token generation. Firebase custom auth token is limited to max 1Hr(3600sec).

exp The time, in seconds, at which the token expires. It can be at a maximum 3600 seconds later than iat.

If auth token expires every hour, its difficult for us to maintain the valid session all the time :(

When we use default Auth providers like (Google, Facebook, Email..); Firebase SDK will take care of refreshing your Auth token by default. But in custom authentication, Firebase SDK need to contact 3rd party server to fetch new token. Here only SDK is failing to refresh the token!

My workaround is, maintain a "last-token-fetch-time" info at local on every successful token fetch, so that we can refresh the token manually after one hour.

You can refer this issue log for more info,

1. https://github.com/firebase/quickstart-android/issues/31
2. In Firebase 9.0.0 API, how to check the user has valid Auth session or not?

Update:

Google updated their document,

exp (Expiration time): The time, in seconds since the UNIX epoch, at which the token expires. It can be a maximum of 3600 seconds later than the iat. (Note: this only controls the time when the custom token itself expires. But once you sign a user in using signInWithCustomToken(), they will remain signed in into the device until their session is invalidated or the user signs out.)

As document says, custom JWT token is valid for max 1Hr; so before it expires, authenticate your user with Firebase. After that session will remain active; It wont expire!

You can use below method to ensure that user has valid session,

public static boolean hasValidAuthToken() {
    return FirebaseAuth.getInstance().getCurrentUser() != null ? true : false;
}

Hope this would help you!