What’s new in Firebase Authentication?

Here at Firebase, we want to make sure you and your users don’t ever need to think about the dark underbelly of securing identities and managing users. That’s why we’re here! We’ve been hard at work making Firebase Authentication even better, and today I’d love to take you through some of the new functionality we’ve delivered in an effort to make registering and signing in users even easier.

What’s new?

Migration to Google’s Mail Service

We’ve heard loud and clear that our existing mail relay service wasn’t providing the high standards you expect from Firebase. Over the last few months, we’ve not only rolled out the ability to configure your own custom SMTP server, but we’ve been working incredibly hard to move to a new, highly performant mail service, powered by Google. For more than 99% of Firebase Auth projects, we’ve performed this migration behind the scenes. Feedback so far has been resoundingly positive and we’ve heard from a lot of you that this has offered much-needed performance improvements. For our customers that have not yet made the move, we’re excited to get you onto the new platform! You have received instructions on a manual verification step that needs to be taken, but if you’re having any issues, please don’t hesitate to reach out to support.

With this new functionality, your users will be able to seamlessly authenticate to your app simply by clicking a link in their email. No need to remember complex passwords or another set of credentials. We’ve worked really hard to ensure that users will continue to have the same level of security with an even better authentication experience, and we’re excited to finally get this into the hands of our developers. I for one am glad to have one less password to remember!

This functionality is available now for Android, iOS and Web.

Availability of Custom Claims on Clients

Using the Admin SDK, we’ve had the ability to add and evaluate custom claims in ID tokens for quite some time, as well as providing other useful claims in the ID token payload, such as expiration and issued-at time. We heard from many developers out there that you wanted to customize user experience on the client based on these claim values. Some interesting use-cases are around customizing look and feel based on a specific role or permission or showing additional features to administrators/managers. With that in mind, we’ve extended the flexibility of custom claims to enable you to consume these values directly from your client app.

We’re excited about this change, but want to be sure we reiterate some of our best practices for custom claims:

  • Custom claims should be used only for properties that control user access and permissions, storing things like a users favorite color or home address could cause performance issues inside of your application
  • Custom claims are limited to 1000 bytes in total. Anything larger than that will produce an error during token generation
  • Custom claims should not be sent directly to a back-end server in the absence of an ID token as, they could have been tampered with or modified. Always ensure that transactions with back-end services include an ID token so we can provide the right levels of security in all interactions

Server-side Session Management controls

Traditionally, Firebase Authentication sessions have lived on the client side with a short-lived authentication token (1 hour) and refresh token that was available indefinitely. Many of you out there have told us that you wanted far more granularity and control server-side as to how long a user’s session could last. We heard your calls and want to ensure that you never have to go through the trouble of spinning up servers, databases and cryptography systems to roll your own session management system, so we’ve released this set of new controls directly inside of Firebase Authentication.

With this release, we introduce the capability to issue JWT-based session cookies from the Firebase Admin SDK. This will allow you to create session cookies with custom expiration times ranging from 5 minutes to 2 weeks and still retain all the benefits of custom claims client-side to provide logic and customization to your application.

We’ve got more details as well as samples of our session management capabilities available in our Admin SDK docs.

Come and see us at I/O 2018!

The Firebase Authentication team will be at I/O 2018, and we’d love to see you there! We’re hosting Authentication Office Hours during the event, and the team will be there to take your questions, discuss some of our awesome new features, or even just to say hi. Look for more details closer to the event. We look forward to seeing you there.