首页 文章

Firebase身份验证:管理员自定义令牌在一小时后无法刷新

提问于
浏览
2

我认为Firebase Admin SDK缺少一个非常重要的功能(或者可能是它的文档) .

TL; DR:如何使用Admin SDK刷新自定义令牌?

文档(https://firebase.google.com/docs/auth/admin/manage-sessions)说:

Firebase身份验证会话很长时间 . 每次用户登录时,用户凭据都会发送到Firebase身份验证后端,并交换Firebase ID令牌(JWT)和刷新令牌 . Firebase ID令牌是短暂的,持续一个小时;刷新令牌可用于检索新的ID令牌 .

好 . 但是怎么样?没有提及如何使用新的自定义标记替换刷新标记 . 有很多关于如何撤销刷新令牌的文档......

然而,有一个REST api函数说,(https://firebase.google.com/docs/reference/rest/auth/#section-refresh-token

交换ID令牌的刷新令牌您可以通过向securetoken.googleapis.com endpoints 发出HTTP POST请求来刷新Firebase ID令牌 .

但是,不接受从此API调用获得的access_token(JWT) . 而JWT的格式甚至不相似 . 下面是检索(解码)的两个自定义令牌样本:i . 使用Admin SDK的admin.auth() . createCustomToken(uid)方法

{
  "uid": "9N5veUXXXXX7eHOLB4ilwFexQs42",
  "iat": 1521047461,
  "exp": 1521051061,
  "aud": "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
  "iss": "XXX@appspot.gserviceaccount.com",
  "sub": "XXX@appspot.gserviceaccount.com"
}

II . 与https://securetoken.googleapis.com/v1/token?key=[API_KEY]电话

{
  "iss": "https://securetoken.google.com/XXX",
  "aud": "XXX",
  "auth_time": 1521047461,
  "user_id": "9N5veUXXXXX7eHOLB4ilwFexQs42",
  "sub": "9N5veUXXXXX7eHOLB4ilwFexQs42",
  "iat": 1521051719,
  "exp": 1521055319,
  "email": "jabbar@gmail.com",
  "email_verified": false,
  "firebase": {
    "identities": {
      "email": [
        "jabbar@gmail.com"
      ]
    },
    "sign_in_provider": "password"
  }
}

关于这个话题提出了很多问题 . 也许来自Firebase团队的人可以一劳永逸地回答这个问题 . 请参阅以下链接

谢谢你的时间!!

firebase firebase-authentication

2 回答

  • 1

    您需要为Id令牌和刷新令牌交换自定义令牌,这是here . 该调用应包括自定义标记和属性"returnSecureToken"为true . 如果未添加此属性或为false,则只能获取ID令牌 .

    完成此操作后,您可以使用刷新令牌在过期后获取新的ID令牌 . 见documentation .

    自定义令牌和ID令牌都是短暂的(1小时),但目的不同,这就是格式不同的原因 . 您使用Id令牌进行经过身份验证的调用,而自定义令牌仅用于启动会话并获取ID令牌和刷新令牌 .

    请记住,如果您使用的是SDK,则整个工作都由SDK处理 .

    回复于
  • 0

    您不刷新已存在的自定义标记,而是创建新标记并将其交换为Access或Refresh Tokens . 以下是我在目前正在使用的工作项目中的方法

    从火焰 Cloud 功能生成自定义令牌

    假设你有你的firebase项目和Cloud Functions for Firebase全部设置 .

    这就是Cloud Functions index.ts文件的样子:

    import * as functions from 'firebase-functions';
import * as admin from "firebase-admin";

// Start writing Firebase Functions
// https://firebase.google.com/docs/functions/typescript

export const getCustomToken = functions.https.onRequest((request, response) => {
  if (admin.apps.length < 1) {   //Checks if app already initialized
    admin.initializeApp();
  }
  const uid = "USER_UUID"; //e.g. GVvCdXAC1FeC4WYTefcHD8So3q41

  admin.auth().createCustomToken(uid)
    .then(function(customToken) {
      console.log(customToken.toString);
      response.send(customToken);
    })
    .catch(function(error) {
      console.log("Error creating custom token:", error);
    });
});

    http GET请求看起来像:

    https://us-central1-<ProjectID>.cloudfunctions.net/getCustomToken

    响应如下:

    eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJodHRwczovL2lkZW50aXR5dG9vbGtpdC5nb29nbGVhcGlzLmNvbS9nb29nbGUuaWRlbnRpdHkuaWRlbnRpdHl0b29sa2l0LnYxLklkZW50aXR5VG9vbGtpdCIsImlhdCI6MTU0MTMwOTY3MiwiZXhwIjoxNTQxMzEzMjcyLCJpc3MiOiJlbWFsbC02OWU3MEBhcHBzcG90LmdzZXJ2aWNlYWNjb3VudC5jb20iLCJzdWIiOiJlbWFsbC02OWU3MEBhcHBzcG90LmdzZXJ2aWNlYWNjb3VudC5jb20iLCJ1aWQiOiJHVnZDZFhBQzFGZUMyV1lUZWZjSEQ4U28zcTQzIn0.hsazo6ELKbLHwPfP2d9rEykKXsBB1CdB1pCQKIVX8_Xo7tnJ0S80LQbE17ktOJ_FTr4MIllVjOLhS3kpWtKYX6Ju4kNMZ2ROLJz1bvwwgcw5unrRdQHEa3SLuyW1HvaOwKiDeYpTx2lwhZnkuBEvcoo1VcbllfYfFLIR_Y47eticONO572EL4GcIuw-RGRx1AXJR-rigRE3bj6_Ohc-PLIVXdH5v1z8fpctM2MA4NxoOZXsBDGH_ZW2Kn4NRBZYo_IT99VJU8Ypsbi_6eJguhDlbl5oWp5_NEEIEuZrN9oLaHL-PUvB8_h10lvQ6c5yP-aFKwC_EHaKBnkz7vXt8Gw

    如果未启用,则很可能必须启用IAM(身份和访问管理)并设置服务帐户凭据 . Check the Troubleshooting .

    交换定制令牌,用于刷新和访问令牌

    http POST请求看起来像:

    https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyCustomToken?key=<Firebase Project Web API Key>

    身体像:

    {"token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJodHRwczovL2lkZW50aXR5dG9vbGtpdC5nb29nbGVhcGlzLmNvbS9nb29nbGUuaWRlbnRpdHkuaWRlbnRpdHl0b29sa2l0LnYxLklkZW50aXR5VG9vbGtpdCIsImlhdCI6MTU0MTMwOTY3MiwiZXhwIjoxNTQxMzEzMjcyLCJpc3MiOiJlbWFsbC02OWU3MEBhcHBzcG90LmdzZXJ2aWNlYWNjb3VudC5jb20iLCJzdWIiOiJlbWFsbC02OWU3MEBhcHBzcG90LmdzZXJ2aWNlYWNjb3VudC5jb20iLCJ1aWQiOiJHVnZDZFhBQzFGZUMyV1lUZWZjSEQ4U28zcTQzIn0.hsazo6ELKbLHwPfP2d9rEykKXsBB1CdB1pCQKIVX8_Xo7tnJ0S80LQbE17ktOJ_FTr4MIllVjOLhS3kpWtKYX6Ju4kNMZ2ROLJz1bvwwgcw5unrRdQHEa3SLuyW1HvaOwKiDeYpTx2lwhZnkuBEvcoo1VcbllfYfFLIR_Y47eticONO572EL4GcIuw-RGRx1AXJR-rigRE3bj6_Ohc-PLIVXdH5v1z8fpctM2MA4NxoOZXsBDGH_ZW2Kn4NRBZYo_IT99VJU8Ypsbi_6eJguhDlbl5oWp5_NEEIEuZrN9oLaHL-PUvB8_h10lvQ6c5yP-aFKwC_EHaKBnkz7vXt8Gw","returnSecureToken":true}

    响应如下:

    {
    "kind": "identitytoolkit#VerifyCustomTokenResponse",
    "idToken": "eyJhbGciOiJSUzI1NiIsImtpZCI6Ijk4Njk0NWJmMWIwNDYxZjBiZDViNTRhZWQ0YzQ1ZWU0ODMzMjgxOWEiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vZW1hbGwtNjllNzAiLCJhdWQiOiJlbWFsbC02OWU3MCIsImF1dGhfdGltZSI6MTU0MTMxMDkzOSwidXNlcl9pZCI6IkdWdkNkWEFDMUZlQzJXWVRlZmNIRDhTbzNxNDMiLCJzdWIiOiJHVnZDZFhBQzFGZUMyV1lUZWZjSEQ4U28zcTQzIiwiaWF0IjoxNTQxMzEwOTM5LCJleHAiOjE1NDEzMTQ1MzksImVtYWlsIjoiYUBhLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiZmlyZWJhc2UiOnsiaWRlbnRpdGllcyI6eyJlbWFpbCI6WyJhQGEuY29tIl19LCJzaWduX2luX3Byb3ZpZGVyIjoiY3VzdG9tIn19.KnMU0SHoMkMOwGBOfwnwMYCyFAGZycC1zA5pva47i4TylGdZyz-93h3KyWA_EYHGZtI29YWfarUG0-6K_sLORttMzKy3t9jBcvhgWN8G9zE8DHg0DuOeaDxDfKY8-W-CBgh8wiTSOfz-CRTT9spXoP_9PigdWFKiwmgP_vvOGStONFjUMh2hSNaRhHAj_0nlFxQuBsoP9eV3uGm1ycC3z8e5AHVbvE7VgIxK27OcKY4z9n1IrBADp9gxM6ESlOYE2y_bfP2i_WIv_4ZQ3fA0aeKhSjhO7AhKUVvZ8FphqzlHF_q966QIglLf9vkVVzQCo-9YdD9j_GRea88tj3P5PQ",
    "refreshToken": "AEXAG-dZJD0zYr-RehU4qXLDRwf1SueYHPeQv6WHQ-w3SW8oFPU27EwdcrBcRP1p4hbTMIjeTTOub9buL20c3dxQvjpCzI4gda73jhHhigLFq6LZGU_S0VXW-9_gG_Vrcx25g2SAiMEt3WuLlP5h0R4h6Eo_DeX2F15vGQMxqplqcOSNGptN-r0",
    "expiresIn": "3600",
    "isNewUser": false
}

    祝好运,

    回复于

相关问题