We are generating custom firebase auth tokens. Unfortunately, the maximum lifetime of such a token is one hour: https://firebase.google.com/docs/auth/admin/create-custom-tokens?hl=en#letting_the_admin_sdk_discover_a_service_account
We are generating these tokens to act as the Bearer auth for a web service api. In this context, it is not appropriate to expire a token. Doing so runs a very high risk of clients losing revenue. Even if you were to expire them, one hour is comically short for an expiration. Consequently, we need jwt tokens which do not expire. Does anyone know how to do this with the firebase auth system?
CodePudding user response:
Based on the comments:
As @Dharmaraj said, The custom auth token from the admin SDK is for signing in the user immediately and expires in an hour. You can't increase the expiry time. Firebase takes care of refreshing the sign-in state with tokens from their servers.
But given that you need this for web service API and you don't need the user to sign in you have two options:
Look for a way to have the client sign in with the custom token and then use firebase callable functions to make requests (you can identify the signed-in user from context.auth). Also, you won't need to set the Authorization header
Use your own JWT tokens without firebase. Firebase custom tokens are for the client and not for the admin SDK.
Firebase is a backend service and can't do everything. It favors serverless architecture and not the creation of well-customized APIs as you want.