Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Major Update to Firebase Brings Rich Authentication Tokens

Major Update to Firebase Brings Rich Authentication Tokens

This item in japanese

The Firebase core development team has this week announced major updates to its user authentication, including automatic session persistence, and rich authentication tokens for use in Security Rules.

Firebase is a realtime database that provides an API allowing developers to store and sync data across multiple clients.

In the article Major Updates to Firebase User Authentication core developer Rob DiMarco says Firebase knew authentication was necessary, but didn’t realise right away "just how painful managing different OAuth implementations was" -- leading to the introduction of the Firebase Simple Login.

The GitHub notes for Firebase Simple Login gives an overview:

When a client initially connects to Firebase, it is anonymous and is granted a default set of permissions as specified in our Security Rules. To grant a client a different set of permissions, we must authenticate it.

Firebase can manage authentication for us, using the Simple Login service. Firebase can authenticate users using social login providers such as Facebook, Google, Twitter and GitHub or manage user registration using email and password login.

With the announcement DiMarco says Firebase has "completely rebuilt" the authentication API. The changes are expected to make it easier to use, as well as giving the user more control over login flows, and providing "a consistent developer experience across all of our supported login types and platforms."

DiMarco says:

Over the past two years, we’ve been constantly improving Simple Login.

We’ve added support for login on our mobile platforms, automatic session persistence, rich authentication tokens for use in our Security Rules, built-in support for authenticating on hybrid development platforms, and a simple API for authenticating users using purely client-side code.

In today’s release, we’re announcing that all these features are now first-class citizens in the core Firebase API.

Among the other new features introduced in Firebase's update are offline-optimised authentication. With this, Firebase provides full access to users’ authentication data, even when the application starts in a disconnected state. The update allows users to "write applications without worrying about connectivity state."

Also improved is Firebase's new event listener for authentication state, that behaves in the same way as Firebase value events, and specific control over the authentication transport used on the web, giving the user greater control of the authentication flow and user experience during login.

According to the published JavaScript Changelog, other changes in the updated version include:

  • Added automatic session persistence for all authentication methods
  • Added a synchronous accessor for authentication state: ref.getAuth()
  • Added a standardized authData returned for all authentication providers
  • Deprecated auth(). Developers should now use authWithCustomToken() instead.

To initialise Simple Login, the Firebase Simple Login docs on GitHub says developers need to

Create a FirebaseSimpleLogin object. This object takes in a Firebase reference and a callback function. The callback is triggered any time that the user's authentication state is changed.

var myRef = new Firebase("");
var authClient = new FirebaseSimpleLogin(myRef, function(error, user) {
if (error) {
// an error occurred while attempting login
} else if (user) {
// user authenticated with Firebase
console.log("User ID: " + user.uid + ", Provider: " + user.provider);
} else {
// user is logged out

More information on the Firebase Simple Login and Firebase APIs visit the GitHub project here.

The update has been well received in the Firebase community, albeit quietly.

On Hacker News, DiMarco commented on the discussion Major Updates to Firebase User Authentication, offering to answer any questions and welcoming feedback. User John Grosen asked DiMarco about Firebase's support for Persona: "Why did you stop officially supporting Persona? Just lack of use?"

James Tamplin, Co-Founder and CEO, replied: 

"Mozilla, the corporate backer of Persona, decided to end new feature development on it because of low adoption. Because of this, and very low usage numbers on our end, we decided to remove support."

Elsewhere, in the Firebase Google Group, user Kyle Parisi commented on the discussion Major Updates to Firebase User Authentication, asking:

"Very cool stuff. I think the only thing missing now is single sign on support for sub domains and perhaps proper email verification. Is this in the pipe line?"

At time of press, there has been no response from the development team to the question.

Rate this Article