Firebase Authentication sessions are long lived. Every time a user signs in, the user credentials are sent to the Firebase Authentication backend and exchanged for a Firebase ID token (a JWT) and refresh token. Firebase ID tokens are short lived and last for an hour; the refresh token can be used to retrieve new ID tokens. Refresh tokens expire only when one of the following occurs: Show
The Firebase Admin SDK provides the ability to revoke refresh tokens for a specified user. In addition, an API to check for ID token revocation is also made available. With these capabilities, you have more control over user sessions. The SDK provides the ability to add restrictions to prevent sessions from being used in suspicious circumstances, as well as a mechanism for recovery from potential token theft. Revoke refresh tokensYou might revoke a user's existing refresh token when a user reports a lost or stolen device. Similarly, if you discover a general vulnerability or suspect a wide-scale leak of active tokens, you can use the Password resets also revoke a user's existing tokens; however, the Firebase Authentication backend handles the revocation automatically in that case. On revocation, the user is signed out and prompted to reauthenticate. Here is an example implementation that uses the Admin SDK to revoke the refresh token of a given user. To initialize the Admin SDK follow the instructions on the setup page. auth.go FirebaseAuthSnippets.cs Detect ID token revocationBecause Firebase ID tokens are stateless JWTs, you can determine a token has been revoked only by requesting the token's status from the Firebase Authentication backend. For this reason, performing this check on your server is an expensive operation, requiring an extra network round trip. You can avoid making this network request by setting up Firebase Security Rules that check for revocation rather than using the Admin SDK to make the check. Detect ID token revocation in Firebase Security RulesTo be able to detect the ID token revocation using Security Rules, we must first store some user-specific metadata. Update user-specific metadata in Firebase Realtime Database.Save the refresh token revocation timestamp. This is needed to track ID token revocation via Firebase Security Rules. This allows for efficient checks within the database. In the code samples below, use the uid and the revocation time obtained in the previous section.
Add a check to Firebase Security RulesTo enforce this check, set up a rule with no client write access to store the revocation time per user. This can be updated with the UTC timestamp of the last revocation time as shown in the previous examples:
Any data that requires authenticated access must have the following rule configured. This logic only allows authenticated users with unrevoked ID tokens to access the protected data:
Detect ID token revocation in the SDK.In your server, implement the following logic for refresh token revocation and ID token validation: When a user's ID token is to be verified, the additional To initialize the Admin SDK for your platform, follow the instructions on the setup page. Examples of retrieving the ID token are in the auth.go FirebaseAuthSnippets.cs Respond to token revocation on the clientIf the token is revoked via the Admin SDK, the client is informed of the revocation and the user is expected to reauthenticate or is signed out:
Advanced Security: Enforce IP address restrictionsA common security mechanism for detecting token theft is to keep track of request IP address origins. For example, if requests are always coming from the same IP address (server making the call), single IP address sessions can be enforced. Or, you might revoke a user's token if you detect that the user's IP address suddenly changed geolocation or you receive a request from a suspicious origin. To perform security checks based on IP address, for every authenticated request inspect the ID token and check if the request's IP address matches previous trusted IP addresses or is within a trusted range before allowing access to restricted data. For example:
Which account is the most powerful local user account possible?The Administrator account is the most powerful account in the domain.
Which of the following cmdlets will you use to create local users using Windows Powershell?Description. The New-LocalUser cmdlet creates a local user account.
Which profile is stored in a network location rather than on the local hard drive group of answer choices?With a roaming user profile, employees' data follows them from device to device. These profiles are stored on a network server rather than on a desktop computer. Admins can configure Active Directory so that it associates the roaming user profile with the user's account.
Which policy controls password characteristics for local user accounts?Win 7 Final MC 1. |