Firebase currentUser.getIdToken() 在 signInWithCustomToken 之后返回自定义令牌

Question

I'm debugging session timeout issues on a Next.js WEB/Node app that uses Firebase Auth for sign in. I am leveraging custom tokens for granular firestore security rules.While debugging, I'm finding that the idToken I send to the backend to create the custom token appears to be a custom token itself after the initial client call. At the very least it contains my custom claims and so far as I understand from the docs, the server can only deal with idTokens as per the glaring red notice at https://firebase.google.com/docs/auth/admin/verify-id-tokens . I don't know if this is the source of the timeout errors, but it seems peculiar.

Update

While investigating why the picture field was not present on the decoded tokens, I discovered that the first argument to createCustomToken was incorrectly the firestore doc id of the user collection doc rather than the id token's uid field. All the same clarifying questions apply still. However, I'm hoping this misstep addresses things. It made the picture field return on the subsequent decodings of the token. However, the token still has my custom claims which may or may not be an issue still.

Initial Login

Web Client code

signInResult = await firebase.auth().signInWithPopup(googleProvider);
//... exception handling ...
const { user } = signInResult;
const fbToken = await user.getIdToken();
// axios POST request to backend with fbToken in data payload

Backend Code using FB Admin client

decodedToken = await adminClient.auth().verifyIdToken(data.fbIdToken);
//... validation and exception handling ...
// . If I log out decodedToken:
{ name: 'Blaine Garrett',
  picture: '...',
  iss: '...',
  aud: '...',
  auth_time: 1569160850,
  user_id: '...',
  sub: '...',
  iat: 1569160850,
  exp: 1569164450,
  email: '...',
  email_verified: true,
  firebase:
   { identities: { 'google.com': [Array], email: [Array] },
     sign_in_provider: 'google.com' },
  uid: '...' }
{ issued: 2019-09-22T14:00:50.000Z,
  expires: 2019-09-22T15:00:50.000Z }


let userId = decodedToken.uid; // As per update, this was not the case originally

// Build custom claims
customToken = await adminClient.auth().createCustomToken(userId, additionalClaims);
// return customToken in a 200 response

On the client in the response from server

...
await firebase.auth().signInWithCustomToken(customToken);
...

Subsequent Calls If I then call const firebaseIdToken = await firebase.auth().currentUser.getIdToken(); after the above signInWithCustomToken and send that result to the backend and log the token, the decoded token is:

{ email: '...',
  user_roles: [ 'admin', 'support' ], // <-- my custom claims
  iss: '...',
  aud: '...',
  auth_time: 1569161153,
  user_id: '...',
  sub: '...',
  iat: 1569161163,
  exp: 1569164763,
  firebase: { identities: {}, sign_in_provider: 'custom' },
  uid: '...' }
{ issued: 2019-09-22T14:06:03.000Z,
  expires: 2019-09-22T15:06:03.000Z }
// Note: not everything is present on this token, including `picture` property and `email_verified`, etc

So even though I call currentUser.getIdToken() on the client, it appears to be my custom token - or at least have my custom claims and some of the original id token fields missing.

1. Is that expected behavior? ie getIdToken will return the custom token if signInWithCustomToken was previously called.

2. Is it valid to attempt to use verifyIdToken on the server if the given token is a custom token?

3. Is that actually a customToken or does FB just preserve the claims. (the missing profile field confuses me).

4. Is there a way to differentiate a custom token from an idToken?

5. Per update above What's the purpose of being able to send any arbitrary value for the first argument of createCustomToken? eg. I passed asdf and the token was minted fine and subsequently decoded fine. Would this have an effect of session timeout?

Thanks for any insight. Again, I don't know if this is the source of my timeout issues, but I ran across this trying to debug and it made me question my understanding of the documentation.

Answer 1

When you add custom claims to a Firebase Authentication user account, they are not immediately "visible" to the client until their ID token refreshes somehow. This behavior is documented :

After new claims are modified on a user via the Admin SDK, they are propagated to an authenticated user on the client side via the ID token in the following ways:

• A user signs in or re-authenticates after the custom claims are modified. The ID token issued as a result will contain the latest claims.
• An existing user session gets its ID token refreshed after an older token expires.
• An ID token is force refreshed by calling currentUser.getIdToken(true).

So, if you need the client to immediately start using new claims, you should force a refresh using the third bullet point. Pass true to getIdToken.

Answer 2

Ultimately, the answer is to not use custom tokens merely to add custom claims for your firebase rules. They are completely different concepts.

Custom tokens are to implement an unsupported auth provider in addition to those Fb supports - ie Google, Microsoft, etc. Custom claims are key/val pairs you can leverage in your security rules and via the claims property on the user.getIdTokenResult() object in the client.

The timeout issue I was debugging was due to trying to re-use the custom token, which doesn't need to be refreshed because it's not what is is for. getIdToken() returns the Id token encoded with any claims that were on the original custom token when it was minted.