Is there any way to keep a person authenticated with firebase across subdomains
this is correct. Firebase only supports single host origin sessions. Firebase Auth is looking into supporting cookies. For now there is no easy solution for this. Feel free to request this feature at the Firebase forum: https://groups.google.com/forum/#!forum/firebase-talk
For now, if you really need this, here is one relatively easy option: Create an endpoint that takes a Firebase ID token and basically returns a custom token for its underlying user (you would need to use the Admin SDK to do this, you verify then ID token, get the user UID and then mint a custom token). The subdomain where the user signed in would pass the ID token to the other subdomain where the user is still not authenticated (you can use iframe cross origin postMessage to pass it, or just save that ID token in a *.domain.com policy). The custom token can then be used to signInWithCustomToken with the custom token, effectively signing in the same user on this page.
This is risky though as the endpoint could expose a vulnerability (it transforms a short lived token to an indefinite one). If the ID token is leaked, an attacker can basically sign-in as the user exploiting this endpoint.
After having spent much longer then I intended to getting single-sign-in working across subdomains, I wrote up a blog post detailing how to accomplish this.
As a high level overview (which ignores the important security details):
We have three applications at different domains.
accounts.domain.com
app1.domain.com
app2.domain.com
We have three Firebase Functions
...cloudfunctions.net/users-signin
...cloudfunctions.net/users-checkAuthStatus
...cloudfunctions.net/users-signout
In order to sign in:
- Someone navigates to the
accounts.domain.com
app - They provide their authentication information
- That authentication information is sent to our
/users-signin
cloud function which verifies the information and, if valid, sets a signed__session
cookie which contains the user's UID and returns a success indication to the client. - On success, the client calls the
/users-checkAuthStatus
cloud function which looks for the signed__session
cookie, extracts the user UID, and uses the UID and the firebase-admin SDK to mint a custom auth token which it returns to the client. - When the client receives this custom auth token, it uses it to sign in using the firebase javascript SDK.
- When someone navigates to one of the other apps, say
app1.domain.com
, the app first checks to see if the person is already signed in using the firebase javascript SDK.- If they are, awesome.
- If not, it calls the
/users-checkAuthStatus
cloud function which looks for the signed__session
cookie and returns a custom auth token to the client if a valid__session
cookie is found.- If a custom auth token is returned, the client uses it to sign the user in using the firebase sdk.
- If a custom auth token is not returned, it means the user isn't authenticated. You can then optionally redirect them to the authentication app to sign in.
Again, this is a high level overview which ignores issues like cross-site-scripting attacks, actually signing out, etc. For more information, check out the blog post.