Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ID token docs say refreshes with 5 minutes buffer but seems to be 30 seconds #8165

Open
anuraaga opened this issue Apr 15, 2024 · 2 comments
Open

ID token docs say refreshes with 5 minutes buffer but seems to be 30 seconds #8165

anuraaga opened this issue Apr 15, 2024 · 2 comments
Labels
api: auth needs-attention question

Comments

@anuraaga
Copy link

Operating System

Any

Browser Version

Any

Firebase SDK Version

92e2279

Firebase SDK Product:

Auth

Describe your project's tooling

This report is based on examining the code in GitHub and not an actual direct usage. We noticed expired tokens being sent to our backend and investigated the code and found this.

Describe the problem

The documentation says that firebase ID tokens should be refreshed if they would expires within 5 minutes.

https://github.com/firebase/firebase-js-sdk/blob/master/packages/auth/src/core/user/id_token_result.ts#L31

But looking at the code that actually fetches, it appears to use a buffer that is 30s

https://github.com/firebase/firebase-js-sdk/blob/master/packages/auth/src/core/user/token_manager.ts#L49

Is this intended or is it missing a 0 accidentally?

Steps and code to reproduce issue

We don't have a direct reproduction but notice expired tokens being sent to our backend (no request takes more than 5 minutes to process) and examined the code to see why it may be.
@anuraaga anuraaga added new A new issue that hasn't be categoirzed as question, bug or feature request question labels Apr 15, 2024
@jbalidiong jbalidiong added needs-attention and removed new A new issue that hasn't be categoirzed as question, bug or feature request labels Apr 15, 2024
@renkelvin
Copy link
Contributor

The 5 minutes is enforced by expirationTime, while the 30s is to refresh the token if it will expire in 30s.

@anuraaga
Copy link
Author

@renkelvin Do you mean StsTokenManager.expirationTime? That is set to the STS response from here

https://github.com/firebase/firebase-js-sdk/blob/master/packages/auth/src/api/authentication/token.ts#L98

Do you mean the server returns an expires_in in the response that is 5 minutes before the exp claim in the token itself?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api: auth needs-attention question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@anuraaga @renkelvin @DellaBitta @google-oss-bot @jbalidiong