swift firebase auth user write into database expired, but it still shows user logged in. According to this question of stackflow, it is saying that the token that allows the user to access the Firebase back-end. This token is based on the previous token, is valid for an hour, and is automatically created and refreshed by the Firebase SDKs.
Is it possible to keep the token that allows the user to access the Firebase back-end for 2 weeks or longer?
Related
When I debug my Facebook user access token I see two expiration dates (Expires and Data Access Expires) as you can see here:
according to this link, token should expire 60 days after the last use but I'm seeing never and I don't know why! also when I exchange the user access token via this API, Data Access Expires does not change and I still get the same Data Access token Expires. My Facebook App is in development mode and I don't pass App Review yet. Also, I don't use FacebookSDK. do you know why I get never expires and why after exchanging the User Access token, Data access Expires doesn't extend?
I am using https://rnfirebase.io/ for react native application. I am successfully able to log in the user using Facebook Login.
My question is, once I have logged in the user using facebook, and then I am deleting the app from my facebook profile that gave permissions to firebase, the firebase is still authenticating me.
So, in this way, I will always be authenticated until I signout? Is this correct? or should I request for fresh Access Tokens ?
Here is the code I am using to check if the user is logged in
_bootStrap = () => {
let route = Home;
firebase.auth().onAuthStateChanged(user => {
saveDataInAsyncStorage('userLoginInfo', user);
this._navigate(route, result);
});
}
Once your client app get a valid ID token from Firebase Authentication, it remains valid for one hour after it was issued, even if you do something to disable the user. The user will be able to use that token to gain access to resources in Firebase until it expires. At that point, the client SDK will attempt to refresh the token. If the account is disabled in some way, the refresh will fail, the the previous token will no longer have the access it once had.
So, you will have to wait at least an hour for that user to be rejected by things like Firebase security rules and Firebase Admin token validation.
I am completely new to Flutter/Dart so pardon my lack of knowledge.
I am trying to set up a login page in my app. I would like to use Firebase Auth as it supports a wide range of authentication options. However, I want to start with Facebook for which I am using the following different dart plugin
https://pub.dev/packages/flutter_facebook_login
I don't think the official flutter plugin for Firebase auth does not support Facebook login yet. My plan is to somehow combine the two to get the following
Use the flutter_facebook_login plugin to perform the login using facebook and get facebook access token
Pass the facebook access token to Firebase Auth to register a user from a custom token
However, when I pass FB access token to Firebase Auth, I get an error that the access token is malformed. Has anyone done this before?
I want to use Firebase Auth to persist the user's login session as long as possible and when the access token runs out use the refresh token to get a new access token. This will essentially mean that once the user logs in using Facebook, they will be permanently logged into my app.
I'm using OAuth as:
a secondary method to sign users into my web application (rather than manually providing their name, email and password)
a way to receive to receive user data throughout the website.
What would be considered best practice when storing access tokens? I have two options:
Store access tokens in cookies
Store access tokens in a database
What are the advantages and disadvantages of either choice?
Regarding token expirations, what should be done to handle this?
One way I know I could handle this is by checking whether there was an error when calling the API and so requesting a new token and then calling the API again. However when requesting a new token, will I require the user to sign back in again? I would imagine this would be a problem when a page on my website requires data from Facebook, but to retrieve it, users have to log back in.
I don't understand how other websites manage to maintain access to Facebook, Google or Twitter APIs without requiring me to log back in again, especially when I'm on another device where I haven't once logged in to Facebook, Twitter or Google. How do they do this? Thanks.
If authentication is done using Google OAuth2.0. Google provides two tokens namely, Access Token and Refresh Token.
Access tokens have limited lifetime for 3600 seconds , but refresh tokens are valid for longer period of time.
Refresh token also expire. Read "Token expiration" section of the Google OAuth2.0 link
One can obtain new access token from refresh token without re-login. ReST api
So, one can have logic implemented to check for time elapsed after access token was generated and take precautionary steps for new access token generation.
Google tokens expire in 3600 seconds, so one can get access token say after every 3500 seconds and update the older access token stored with new one for further use. Also one other way could be, to set refresh token in GoogleCredential which is passed as parameter(httpRequestInitializer) while creating the service of any api.(For example look for Drive.Builder)
If you are not storing refresh token from which access token can be regenerated, you have to authenticate again to get new token.
Our app already implements oAuth to obtain the access token and secret from Intuit, and all works well.
The app takes into account that users may have multiple QBO companies. Consequently, when a user tries to authorize access to one company, our app checks whether this company has been already authorized, and if it has, the app lets the user know so and does not try to re-authorize the company.
The way we implemented this is as follows. When the authorization process starts, we send or app the list of companies (realm ID) which have been authorized. The user clicks the "Connect to QuickBooks" button and follows the wizard. Internally the app gets the request token and it is ready to make the access token request. The request token request gets us the realm ID so we can compare it with the list of already authorized companies. If the company has been authorized we do not request the access token and let the user know that the company has already been authorized.
Up until a week ago this used to work -i.e. in this case, because the app does not make a request for the access token, the access token the app has is still valid. However, now something seems to have changed so that when the app makes gets the request token, even though it does not ask for the access token, the existing access token is not valid anymore and the user need to re-authorize the company again.
Has something changed in the oAuth flow implementation ?
Thanks
OAuth tokens are valid for 180 days(bydefault). So, please check if existing tokens are getting more than 180 days old. If so, please use 'reconnect api'.
Ref - https://developer.intuit.com/v2/docs/0050_quickbooks_api/0020_authentication_and_authorization/oauth_management_api#Reconnect
One suggestion -
You can implement SSO( using 'sign in with intuit' wizard) in you app. That way you can relate end-user's SSO URL with OAuth tokens of his company while persisting those in your app's db. For the very first time, end user will generate tokens through C2QB flow. Next time onwards whenever the end user will sign in, your app should retrieve his oauth tokens using his SSO identifier(your app should show 'Disconnect' option instead of C2QB if he already has an established connection).
Thanks