7

Early into Firebase docs and really liking it so far. Being n00b, a conceptual question here - is the (JWT) token generated by Firebase authentication accessible client-side?

I'm looking to call some external service and want to leverage JWT as the security mechanism. So:

  • authenticate user using Firebase built-in providers (purely client side)
  • obtain Firebase JWT (my question)
  • pass this JWT as/whenever needed, to external service and verify it (using my app FBase secret) for "access" to external service

In essence, leverage existing Firebase mechanisms as a form of "gateway" to external service(s).

I saw an old answer here - "....token to survive page reloads, then you need to store it in some way so the client..." - is this token the JWT?

Thanks!

Community
  • 1
  • 1
EdSF
  • 11,753
  • 6
  • 42
  • 83

5 Answers5

7

This is the right way to obtain firebase JWT token

firebase.auth().currentUser.getToken().then(function(token){
  console.log(token);
});
Ismail Baskin
  • 374
  • 6
  • 9
  • 2
    As of March 2017 this seems actually the be the right way, see https://firebase.google.com/docs/reference/js/firebase.User#getToken – SergGr Mar 01 '17 at 23:01
  • This seems to be deprecated or something, the new way to do this is https://firebase.google.com/docs/reference/js/firebase.User.html#getidtoken – IdoL May 21 '19 at 07:07
5

Update March 2021: getToken() won't work, refer documentation

we have to use getIdToken()

The below version will work in Javascript

firebase.auth().currentUser.getIdToken(true).then(function(token){
  console.log(token);
});
Wilson Silva
  • 10,046
  • 6
  • 26
  • 31
Frank David
  • 187
  • 1
  • 3
  • 9
3

Firebase indeed keeps the JWT in local storage. 

JSON.parse(localStorage.getItem("firebase:session::<app-name>")).token

You can also get it from the authData, where it is available as the value of the token property.

ref.onAuth(function(authData) { console.log(authData.token); })

But the preferred way is to do what Chris said in the comments:

ref.getAuth().token
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • 3
    You can also obtain it using `ref.getAuth().token` – Chris Raynor Nov 04 '15 at 18:27
  • Taking the easy route, are we? :-) Just kidding, I'll add your variant as the preferred approach. – Frank van Puffelen Nov 04 '15 at 18:45
  • 1
    I'm surprised this information isn't more widely circulated; is it a security risk to re-use the Firebase JWT to authenticated against external (node.js) servers? The JWT is simple enough, and I'm assuming it's secure enough to verify the signature using the secret and call it good? Firebase JWT: { "v": 0, "d": { "provider": "password", "uid": "" }, "iat": 1458685982 } – Mike Mar 23 '16 at 14:48
2

For any future SO-goers looking to do this in Swift 4, here's a snippet to make your lives easier:

        // Force refresh from Firebase if token is expired (pass true) 
        // or deliberately do not refresh if expired (pass false)

        Auth.auth().currentUser?.getIDTokenForcingRefresh(true, completion: { (token, error) in
            if error != nil {
                print("Network Auth Error: \(String(describing: error?.localizedDescription)))")

            } else {
                // do something with token
            }
        })

        // If you don't care about the refresh
        Auth.auth().currentUser?.getIDToken(completion: { (token, error) in
            if error != nil {
                print("Network Auth Error: \(String(describing: error?.localizedDescription)))")

            } else {
                // do something with token
            }
        })
JaredH
  • 2,338
  • 1
  • 30
  • 40
2

Answer for November 2020

Once you have the FirebaseAuth instance, you can get the token using one line of code:

FirebaseAuth auth;
String token;

token = await auth.currentUser.getIdToken();
Code on the Rocks
  • 11,488
  • 3
  • 53
  • 61