Clever Geek Handbook

Is there a way to keep firebase authenticated person across subdomains

I am using firebase to authenticate to my website and I want an active user session to be active in subdomains.

Unfortunately firebase uses local storage to store the user's session. Unfortunately, this is independent of each subdomain.

I already know that you can generate a JWT token using firebase from the server side, but then it prevents the user from logging out because the user will still be logged into other subdomains.

+4


source to share


3 answers


it is right. Firebase only supports single host sessions. Firebase Auth is looking into cookie support. There is no easy solution for this yet. Remember to request this feature on the Firebase forum: https://groups.google.com/forum/#!forum/firebase-talk

For now, if you really need it, here's one of the relatively simple options: Create an endpoint that accepts a Firebase ID token and basically returns a custom token for your primary user (you will need to use the Admin SDK for this, you will check the ID. get user id and then type custom token). The subdomain the user is logged in to has passed the id token to another subdomain where the user is still not authenticated (you can use a cross-origin iframe postMessage to pass it, or just store that id token in the * .domain.com policy). can then be used for signInWithCustomToken with custom token,effectively signing the same user on that page.



This is risky, although the endpoint may expose a vulnerability (it converts the short-term token to an indefinite one). If the identity token is leaked, an attacker could log on as the user using that endpoint.

+3


source


The iframe no longer works for Safari because it no longer allows the iframe source page to access its own indexeddb. This means that you cannot get a token and it onAuthStateChanged

always returns null

.

We have implemented another solution where we store the user's token in a secure cookie along with the redirect information, redirect the user to a different domain, use the cookie to log in or out of the user, delete the cookie, and redirect it to the location stored in the cookie.



  1. Login
  2. Get your own token
  3. Set cookie with action "signIn" or "signOut", redirectUrl and token (if logged in)
  4. Redirect to another page
  5. Sign in or sign out
  6. Delete cookies
  7. Redirect to redirectUrl

This works again for iOS and Desktop Safari. But it only works if it's on the same domain, so both subdomains will have access to that cookie.

+3


source


After spending much more time than I intended to make SSO work across subdomains, I wrote a blog post detailing how to achieve this.

As a high-level overview (which ignores important security details):

  1. We have three applications in different domains.

    • accounts.domain.com

    • app1.domain.com

    • app2.domain.com

  2. We have three Firebase functions

    • ...cloudfunctions.net/users-signin

    • ...cloudfunctions.net/users-checkAuthStatus

    • ...cloudfunctions.net/users-signout

To log in:

  1. Someone goes to the application accounts.domain.com

  2. They provide their credentials
  3. This authentication information is sent to our cloud function /users-signin

    , which validates the information and, if valid, sets a signed cookie __session

    that contains the user's UID and returns an indication of success to the client.
  4. If successful, the client calls the cloud function /users-checkAuthStatus

    , which looks for the signed cookie __session

    , retrieves the user's UID, and uses the UID and firebase-admin SDK to generate a custom authentication token, which it returns to the client.
  5. When the client receives this custom authorization token, it uses it to log in using the firebase javascript SDK.
  6. When someone navigates to one of the other apps, for example, the app1.domain.com

    app first checks if the person is logged in using the firebase javascript SDK.
    1. If so, cool.
    2. Otherwise, it calls a cloud function /users-checkAuthStatus

      that looks for a signed cookie __session

      and returns a client authentication token if a valid cookie is found __session

      .
      • If a custom authorization token is returned, the client uses it to log in using the Firebase SDK.
      • If no custom authorization token is returned, it means that the user is not authenticated. Then you can optionally redirect them to the login authentication app.

Again, this is a general overview and ignores issues such as cross-site scripting attacks, actual logoff, etc. Check out the blog post for more information .

+1


source






More articles:


All Articles