Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add customToken option to firebase #3491

Closed
viperfx opened this issue Oct 1, 2021 · 4 comments · Fixed by #3613, #3615 or #3614
Closed

Add customToken option to firebase #3491

viperfx opened this issue Oct 1, 2021 · 4 comments · Fixed by #3613, #3615 or #3614

Comments

@viperfx
Copy link
Contributor

viperfx commented Oct 1, 2021

I currently use a custom firebase client because I utilize their signInWithCustomToken method.

      if (options.providerId == 'token' && options.token) {
        return firebaseAuth.signInWithCustomToken(auth, options.token)
      }

It would be great if we can add this option to the redwood firebase client.

@thedavidprice
Copy link
Contributor

cc @doesnotexist

@doesnotexist
Copy link
Contributor

doesnotexist commented Oct 1, 2021

Yeah, so the web/authclient side seems pretty straightforward. As for the api-side decoder, would need to change the decoder to be aware of custom token or decode them correctly. The current api-side decoder calls firebase's verifyIdToken() which may only work with firebase generated tokens and not custom tokens: https://stackoverflow.com/questions/44368643/verifying-firebase-custom-token-to-get-token-id-fails-when-using-jsonwebtoken

I'm not sure which token is going to be sent, the ID token generated from signInWithCustomToken() or the custom token. If it's the ID token perhaps nothing needs to change api-side. I'll look into this a bit more when I can.

@viperfx
Copy link
Contributor Author

viperfx commented Oct 1, 2021

Yep that's a good point.

I currently only use firebase generated tokens for SSO and when I created this issue, I had actually meant only to support that. I don't think I've come across anyone who uses custom tokens yet.

And yes, can confirm. For the firebase token, I only had to handle the token param on front-end and add the method to my custom firebase client. No changes needed on API.

@doesnotexist
Copy link
Contributor

doesnotexist commented Oct 7, 2021

@viperfx yeah I confirmed no change is needed on api side, the custom token is only used to login/signup but then the AuthProvider getToken() returns the firebase idToken associated with the user who logged and is decoded properly.

@thedavidprice
I think this is ready to be merged. I had one open question:
#3529 (comment)

Update think since JWTs are known to be stateless, skipping the check revocation is correct and apps can do their own check for revocation when it makes sense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment