firebase-admin-node [FR] auth: Allow expiry to be specified in .createCustomToken

Is your feature request related to a problem? Please describe.

It would be good if you could specify the duration of time you would like the login token to be valid for. For our use at least, the result of .createCustomToken is mostly used immediately after being provided to the client, so we'd like to have a very short expiry time.

Describe the solution you'd like

Update .createCustomToken or a new method .createCustomTokenWithOptions that takes an expiry.

Describe alternatives you've considered

Using the details from create custom tokens using a third-party JWT library, but this seems a bit redundant when the SDK is so close to providing what is needed.

Sep 02 '20 07:09 rhodgkins

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

Sep 02 '20 07:09 google-oss-bot

I realise this API change will probably need to go through the API council or something like firebase-tools does, but going to start a PR off for this anyway, going with the .createCustomTokenWithOptions for now...

Sep 02 '20 07:09 rhodgkins

+1 Good and needed idea

Nov 05 '20 19:11 felansu

@bojeil-google this is really a product decision. WDYT? Should we expose an option to make the expiry time configurable?

May 21 '21 23:05 hiranya911

Ok, I checked with some folks. I think we can allow a range from [5min, 1hour] with 1 hour being the default. 1 hour is the maximum allowed on our backend token verifier. I suggest setting 5min as the lower limit to take into account clock skew issues, but in theory we can go down lower.

May 21 '21 23:05 bojeil-google

@bojeil-google do you want to start an API proposal or something for this?

Jul 16 '21 20:07 hiranya911

@lsirac has some bandwidth to work on the API proposal this quarter. Hey @lsirac, basically we need to update these APIs to accept an additional optional duration. We can allow a range from [5min, 1hour] with 1 hour being the default. Anything beyond 1 hour will be rejected by our backend anyway and anything less than 5mins could be subject to clock skews.

Jul 16 '21 23:07 bojeil-google

@bojeil-google if it helps I've rebased by original PR #1017 to fix any conflicts (its almost been a year, but luckily there weren't many!) and also set the minimum expiry to 5 mins as per your comment.

Hopefully it might be of some eventual use...!

Jul 22 '21 13:07 rhodgkins

No chance we can have the 1 hour max increased?

Jul 27 '21 20:07 alexcastillo

No chance we can have the 1 hour max increased?

Yeah, the internal service we use only allows 1 hour max and they are unlikely to change it. I would also agree with that from a security perspective.

Jul 27 '21 20:07 bojeil-google

Understood. Do you have any advice on implementing apiKey-like auth since custom tokens don't seem to be a good fit for this use case?

Jul 27 '21 20:07 alexcastillo

@alexcastillo did you ever figure out how to implement apiKey-like auth with FIrebase? This is something I'm curious about as well.

Oct 05 '22 01:10 davinchia

I ended up implementing a custom OAuth workflow with the help of this library:

https://github.com/chrisvxd/oauth2-firebase-auth

Plus additional work, which you can find in this pull request:

https://github.com/chrisvxd/oauth2-firebase-auth/pull/4

Good luck.

Oct 10 '22 22:10 alexcastillo

@bojeil-google any updates on the internal review?

Oct 19 '22 09:10 IchordeDionysos

any updates on this, would be really useful :) thanks!

Nov 28 '22 04:11 jeremyrajan

FIY: @prameshj @renkelvin

Dec 05 '22 16:12 lahirumaramba

Come on, someone check the buganizer (or whatever y'all are using now) and tell the community. We need the ability to extend the custom tokens beyond an hour.

Jan 14 '23 15:01 georgeportillo

Having the same issue

I am trying to implement CI/CD workflow based on my login credentials with firebase.

The feature actually is not simple to implement from google side.

When we generate token without expire we should invalidate somewhere in some moment so there should be a list of created custom tokens without expire date.
We should be able to revoke these tokens probably from a user interface in firebase cli

In addition to these things firebase team need to introduce a scope to these tokens in order to have only access to a specific parts of the system like IAM roles in AWS for example. Accept everything else we need to do a little changes to our auth layer in the backend in order to understand the scope of the generated token since if it is coming from the same account and this custom token leaks the intruder will be able to interact and mimic like the issue account in our applications.

So i am probably assuming that these feature will not be introduced unless firebase create OAuth like service where we could define our Scope and custom tokens.

The same problem appears to be happening if we want to create a Single Sign On button from our website

For example "Login with MyWebsite" in order to do that we need to be able to create OAuth redirect to a particular website and create token which will then be used in third party app for signing in with "Login with MyWebsite" button.

I am thinking that this will not land even in 5+ years in firebase so we need to find different solution to our usecase.

If you have any recommendations i would love to read them!

Cheers guys !

Jan 25 '23 21:01 Stradivario

I am trying to implement CI/CD workflow based on my login credentials with firebase. I'm not sure if you are correct in this issue.

This is about end-user authentication, if you want to automate your deployments, e.g. with Cloud Build or CircleCI, look into service account credentials, which are exactly for that use-case to authenticate against Google servers. You can assign IAM roles to your service accounts.

firebase-admin-node firebase-admin-node copied to clipboard

[FR] auth: Allow expiry to be specified in .createCustomToken

firebase-admin-node
firebase-admin-node copied to clipboard