如何通过管理SDK登出用户? (使auth === null)
[英]How to sign out the user via admin SDK? (make the auth === null)
问题描述
When the user ID token is revoked the information should be passed to client for actions like reauthentication or user signOut(). 
撤销用户ID令牌后,应将信息传递给客户端,以执行诸如重新认证或用户signOut()之类的操作。
On the client we can call FirebaseAuth.DefaultInstance.SignOut . 在客户端上,我们可以调用FirebaseAuth.DefaultInstance.SignOut 。 How can we achieve the same effect with admin SDK? 我们如何使用admin SDK达到相同的效果?
Is there a way to sign out the user via admin SDK? 有没有一种方法可以通过admin SDK登出用户? (make the auth === null). (使auth === null)。
A 'hacker' could alter the client code and prevent the app from sign out or reauthentication. “黑客”可能会更改客户端代码,并阻止应用注销或重新认证。 I know I can check if the token was revoked with admin SDK and firebase rules but it would be much easier to check only if the auth is null. 我知道我可以检查令牌是否已使用admin SDK和firebase规则吊销,但是仅当auth为null时检查起来会容易得多。 Or is my thinking wrong as the 'hacker' got the ID token once and can send requests with these credentials anyway even after the client app called FirebaseAuth.DefaultInstance.SignOut? 还是我的想法是错误的,因为“黑客”获得了ID令牌一次,并且即使在名为FirebaseAuth.DefaultInstance.SignOut的客户端应用程序之后仍可以使用这些凭据发送请求?
1 个解决方案
解决方案1
1 已采纳 2019-02-13 15:33:58
Is there a way to sign out the user via admin SDK?
The Admin SDK provides a way to revoke a user's refresh token. Admin SDK提供了一种撤消用户的刷新令牌的方法。 This does not immediately sign the user out, since the user has an non-revokable ID token which is valid for an hour. 由于用户具有一个有效期为一个小时的不可撤消的ID令牌,因此不会立即注销用户。
If you want to immediately make backend-resources unavailable to the client whose token you revoked, you can write their state to the database when you revoke the token, and then access that from your security rules. 如果要立即使被撤消令牌的客户端无法使用后端资源,则可以在撤消令牌时将其状态写入数据库,然后从安全规则中访问该资源。 There is no simpler way to block them instantly. 没有简单的方法可以立即阻止它们。 Also see Five tips to secure your app , which covers this and security topics. 另请参阅保护应用程序安全的五个技巧 ,其中涵盖了此主题和安全性主题。
A 'hacker' could alter the client code and prevent the app from sign out or reauthentication
The client's authentication state is based on an ID token that is valid for an hour after it's been minted. 客户端的身份验证状态基于ID令牌,该令牌在创建后的一个小时内有效。 The client cannot extend the token beyond that. 客户端无法将令牌扩展到此范围之外。 To get a new ID token it will have to call to the authentication server, which will fail after its refresh token has been revoked. 要获得新的ID令牌,它将必须调用身份验证服务器,该服务器在其刷新令牌被吊销后将失败。
Signing the user out on a client makes that client forget the tokens for that user. 在客户端上注销用户会使该客户端忘记该用户的令牌。 The ID token would still be valid, but nobody will know about it. ID令牌仍然有效,但是没人会知道。 Keep in mind: all traffic between the app and the servers is sent over (end-to-end encrypted) HTTPS connections. 请记住:应用程序和服务器之间的所有流量都是通过HTTPS连接(端到端加密)发送的。 This means a man-in-the-middle attack is only possible if somebody is able to decrypt this traffic, which requires that they have access to the certificate. 这意味着只有在有人能够解密此流量(要求他们有权访问证书)的情况下,中间人攻击才有可能。 See for a better explanation Does https prevent man in the middle attacks by proxy server? 请参阅以获取更好的解释, https是否可以防止代理服务器在中间人攻击中使用man? . 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.