In What Period Does the Firebase's App Token Changes and How to Manage It

In what period does the firebase's app token changes and how to manage it?

The token is generated, after the app is first launched, as soon as the phone can connect to the Google servers. Due to the required connectivity this might not happen immediately, but in most of the cases it will happen in few seconds after the user open the app.
As soon as the token is generated the method onTokenRefresh() is called.

As you pointed out the token can change, in which case the onTokenRefresh() method will be called again.

The refresh event is somehow rare, don't expect to see it often at all.

When the refresh token happens, all the messages that have been "successfully" sent (the API returned you a message-id) to the old token will be delivered.

Finally, even after the refresh happened the old token will still be working for a short period, to allow the app to communicate the new token to its back-end.

Firebase user ID token: when does it change? And how to listen to the updates/refreshes of it?

Time has passed and I finally collected enough info.

Let's talk about Firebase ID Token:

• When does it expire/update?
• How do I monitor/listen to its refresh/updates?
• What is it?

When does Firebase ID Token expire/update?

From

• Answer of @Frank van Puffelen
• Firebase Doc for Admin: Manage User Sessions
• Reference of Firebase.addIdTokenListener

Firebase ID tokens are short lived, and will be refreshed when:

• after 1 hour
• user signs in
• user signs out
• user changes password
• user requires a force-refresh (by executing getIDToken(true))
• other firebase event, like "user changes"

The procedure seems controlled by Firebase system. The time listed above might not cover all the cases.

How do I monitor/listen to refresh/updates?

Due to the propose of Firebase ID token, you are not suggested to "listen to its changes automatically".

It's suggested to get token dynamically, by calling user.getIdToken().

However, if you really want to monitor it, you may use FirebaseAuth.addIdTokenListener. Note that user (as well as IdToken ) might not always exist in this listener:

Firebase.auth.addIdTokenListener(FirebaseAuth.IdTokenListener { auth ->
    Log.v("AUTH", "token Listener: triggers when user is ${auth.currentUser?.uid}")
    auth.currentUser?.run {
        getIdToken(false).addOnSuccessListener {
            Log.v("AUTH", "token Listener: current token is ${it.token}")
        }.addOnFailureListener {
            Log.w("AUTH", "token Listener: failed getting token.", it)
        }
    }
})

Also note that calling getIdToken(true) would ALWAYS refresh ID token.

Bonus: What is ID Token?

Firstly one have to know that, ID token, refresh and access token is NOT invented by Firebase. It's from the Network framework and protocol -- ID token is from Open ID Connect, and others from OAuth 2.0.

I'm not an expert in Network, so I'll just brief explain it from my understanding:

• ID Token: always encoded as JWT (JSON Web Token). Provides the identity of user. However it is not very safe as it might be stolen/copied, thus not suggested to be used in API.
• Access Token: no strict format (can also be JWT), but is limited, dynamic token generated (by server) from client request. Have many ways to keep safety, thus suggested to be used in API.
• (and a Refresh Token is sent from server, used by client/server, to refresh the Access Token.)

(I recommend a comparison article of these 2 tokens, very clear and helpful.)

However, there're differences in Firebase. In all articles I found, they all indicate that: when you need an access token in Firebase, you should call FirebaseUser.getIdToken(). And it's dynamic, with refreshing mechanism, and you can refresh it from client.

Considered the definition above, I feel like that in Firebase, Firebase (Auth) ID Token behaves more like Access Token defined in OAuth 2.0, not ID Token defined in Open ID Connect.

That's all I got so far. Hope it helps the future googlers.

Firebase ID Token expiration in an hour

Firebase auth tokens automatically refresh every hour. That's a function of the SDK, and you don't have to do anything to enable it.

You definitely do not want to call firebase.auth().onAuthStateChanged for each request. That starts a persistent listener, and adds a new callback every time it's used. Typically you add just one listener globally for your app, and use its updates as they happen.

If you need to know when the SDK refreshes the token in order to get a new one immediately, you should instead use onIdTokenChanged to set up a callback that will be invoked every time the user's token changes. Again, you should only set up one of these globally for your app, and use its current value at the time of the request.

Firebase token is generated every time new

We are using Firebase Cloud Messaging in a project too.

We use firebase in android app with:

compile 'com.google.firebase:firebase-core:9.0.2'

The token we receipt persist whenever we relaunch the app.

It's better to make sure if each time you launch the app, token get refreshed in your FirebaseInstanceService:

public class MyFirebaseInstanceIDService extends FirebaseInstanceIdService {

  private static final String TAG = "MyFirebaseIIDService";

  @Override public void onTokenRefresh() {
    ...

    // Get updated InstanceID token.
    String refreshedToken = FirebaseInstanceId.getInstance().getToken();
    // check here.
    Log.d(TAG, "Refreshed token: " + refreshedToken);

    ...
  }
}

Then make sure in your server you have correctly set the Firebase Server.

It could be a bug if you getting a different token every time you launching your app. But make sure you have tested your android project with the newest Firebase Library.

This questions could be related to your problem:

Firebase Android Authentication failed: expired_token (Auth token is expired)

What is Deadline of Manage Firebase installations implementation ? What is impact of deprecated Firebase installation ID in Mobile app?

With Cloud Messaging version 22.0.0 published on May 11, 2021 - they have removed this dependency from their SDK.

Removed dependency on the deprecated Firebase Instance ID SDK.

Caution: This is a breaking change for apps that use FCM and the deprecated Firebase Instance ID API to manage registration tokens.
We strongly recommend migrating to FCM's token APIs. If you're unable to migrate to the replacement APIs, add a direct dependency on the firebase-iid library to your build.gradle file.

You can still keep working with firebase-iid directly for now. This is there so we have enough time to migrate to new apis. You should consider migrating to new apis according to your schedule.

---

Is there any official deadline to implement new Manage Firebase installations?

No direction on this by Firebase team yet.

What is the impact on IOS and Android App if we keep using firebase-iid?

It will keep working as it does today. However since it is not being maintained, it will not receive any new feature updates as the counterpart would.

What will happen if user will have latest os and that does not support the firebase-iid?

You package your firebase-iid code with your app bundle/apk. You do not rely on OS having it. So it seems a long way to go before your code stops working at all.

How to ensure renewed Firebase token is still workable for previous registered device?

AFAIK, the app doesn't delete the Instance ID on it's own, unless you explicitly call it (see my answer here).

If onTokenRefresh() is triggered, is is the developer's responsibility to call getToken() to retrieve the new and valid Registration Token, send it to their App Server and delete the old one. As stated in the docs:

After you've obtained the token, you can send it to your app server and store it using your preferred method.

onTokenRefresh() can be triggered regardless if the app is in foreground or background (see my answer here). This answer by @DiegoGiorgini has an excellent explanation on how it works.

---

Related Topics