8

According to Firebase documentation, a refresh token is only for advanced scenarios that require explicitly refreshing tokens.

In which cases should I use that token, and what are the advantages of using it?

private afAuth: AngularFireAuth

this.afAuth.auth.currentUser.getIdToken()
.then(idToken => // Gives me a different token from key name called pa);

Also, I'm not sure the difference between refreshToken and the returned token from getIdToken(). Currently, I'm using the latter for HTTP requests.

Note: getIdToken returns a JWT token used to identify the user to a Firebase service.

JeffMinsungKim
  • 1,940
  • 7
  • 27
  • 50

1 Answers1

6

Refreshtoken:

A refresh token for the user account. Use only for advanced scenarios that require explicitly refreshing tokens.

GetIdToken:

Returns a JWT token used to identify the user to a Firebase service. Returns the current token if it has not expired, otherwise this will refresh the token and return a new one.

The refreshtoken is used in the following situations:

The current user's access token is refreshed. This case can happen in the following conditions:

  1. The access token expires: this is a common situation. The refresh token is used to get a new valid set of tokens.

  2. The user changes their password: Firebase issues new access and refresh tokens and renders the old tokens expired. This automatically expires the user's token and/or signs out the user on every device, for security reasons.

  3. The user re-authenticates: some actions require that the user's credentials are recently issued; such actions include deleting an account, setting a primary email address, and changing a password. Instead of signing out the user and then signing in the user again, get new credentials from the user, and pass the new credentials to the reauthenticate method of the User object.

more info here: https://firebase.google.com/docs/auth/users

Gowthaman M
  • 8,057
  • 8
  • 35
  • 54
Peter Haddad
  • 78,874
  • 25
  • 140
  • 134
  • Thanks for the response. What's the correlation between `refreshToken` and `onTokenRefresh()`? I don't get it. And I believe `getToken()` is deprecated. – JeffMinsungKim Feb 03 '18 at 16:23
  • I have updated the answer, @JeffMinsungKim the other one was completely wrong, I thought you were talking about another token. – Peter Haddad Feb 03 '18 at 16:43
  • Thanks, Peter. I knew you were talking about something different! Now everything makes sense :) So I don't really have to use `refreshToken` in my code? Does firebase take care of the token? Or am I still missing something out? – JeffMinsungKim Feb 03 '18 at 16:54
  • yes according to what I searched now the getIdToken() it will give you the refreshed token so there is no need to use `refreshToken` (https://stackoverflow.com/questions/38233687/how-to-use-the-firebase-refreshtoken-to-reauthenticate/38233818#38233818) Yes according to this link(https://firebase.google.com/docs/auth/users) it seems firebase takes care of the token – Peter Haddad Feb 03 '18 at 16:56
  • 1
    Awesome! Thanks again Peter. Helped me a lot :) – JeffMinsungKim Feb 03 '18 at 17:00