Reputation: 1458
How to securely manage my own custom claims alongside Firebase Authentication
I've used Firebase Auth to manage user logins on my app, and custom claims for their roles and permissions for each organization they belong to.
The problem is that when a user belongs to several organizations, the custom claims exceed the 1,000 characters length limit set by Firebase Authentication.
For the client, I can make an API call with the ID token, and respond with his/her claims. But for my gateway, it means I now need to query my database at each user request. It defeats the point of JWT at all.
How can I embed custom claims in a safe way?
- Desktop Client: ReactJS + Firebase SDK
- API Gateway: Express on NodeJS
- Backend: Firestore for user metadata
Upvotes: 1
Views: 1000
Answers (1)
Reputation: 599081
Usually the keys and values of custom claims are very short, and you should not run into this limit. Short keys and values are important, since the claims are encoded in the JWT, which is sent with each request/connection.
You are likely storing readable, meaningful values in your token now. I'd recommend using shorter "codes" as the keys/values of your claims, similar to the three letter default properties of a JWT. That will keep your token size under control, and should bring you back under the limit unless really have a lot of claims.
Upvotes: 1
Related Questions
- How to set custom auth claims through Firebase and identify platform
- How to add custom claims in JWT/idToken obtained from google workspace login
- Using Firebase Auth Custom Claims for custom permissions
- Are Firebase Custom Claims Secure?
- Using Firebase Auth Custom Claims Correctly
- setting Custom claims in firestore
- Firebase handling multiple custom claims
- How do you keep your custom claims in sync with roles stored in Firebase database
- Add default custom claims to firebase token
- firebase using claims in custom tokens