0

Does User.getIdToken() (with parameter forceRefresh = false) retrieve the ID token from the server every time it's called? Or does it cache it, and only contact the server when it detects that a refresh is due (or do something else entirely)?

And a follow-up question - if it indeed does retrieve the ID token from the server every time, doesn't that mean that every time an app wants to send a request to its backend server (which has to include the ID token, so that the backend can verify the authenticity of the request), it effectively has to first contact the Firebase server to get the ID token? Because that's going to get expensive, right?

I know I can listen to the idTokenChanges stream and cache the ID token whenever I get a new User instance, but I'd prefer to not have to do that, because I don't want a StreamBuilder/StreamProvider to rebuild UI whenever the ID token changes. Listening to authStateChanges instead means the UI can rebuild only on sign-in and sign-out events, which is what I want. But then I run into the potential problem described above (if indeed the server is queried every time), i.e. I have to call getIdToken() every time I want to send a request to the app's backend.

Improve this question

2 Answers 2

Reset to default
3

As stated in the official documentation, getIdToken():

Returns a JSON Web Token (JWT) used to identify the user to a Firebase service. Returns the current token if it has not expired. Otherwise, this will refresh the token and return a new one.

Therefore, the Firebase server is reached only if the current token is expired.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

But how can it be inferred from that that the current token isn't being retrieved from the server? You'd have to know the implementation details of the function?
JWT tokens explicitly define an expiration date: github.com/auth0/node-jsonwebtoken/blob/master/…
Sure: being an ID token, I know that it's going to expire, and so I would expect nothing less than for it to have an expiration date. But again, how can I infer from that that the token isn't being retrieved from the server? Short of looking at the internals of the function, how would I know? Speaking of the internals; it's a one-liner: return _delegate.getIdToken(forceRefresh); which in turn is defined in platform_interface_user.dart as throw UnimplementedError("getIdToken() is not implemented");).
1

Does User.getIdToken() (with parameter forceRefresh = false) retrieve the ID token from the server every time it's called?

No

Or does it cache it, and only contact the server when it detects that a refresh is due (or do something else entirely)?

Without forcing a refresh, there is no guarantee about the value it returns. It might have been recently refreshed, or not. It simply returns the last known value.

if it indeed does retrieve the ID token from the server every time, doesn't that mean that every time an app wants to send a request to its backend server (which has to include the ID token, so that the backend can verify the authenticity of the request), it effectively has to first contact the Firebase server to get the ID token?

No, you can cache the value on your own and keep track of how fresh it is.

Honestly, if you want to optimize your code, it's strongly advisable to do exactly what you say you don't want to do and listen for the automatic refreshes that the SDK will do for you. This is the recommended way to always have a fresh token, and is the whole reason why the API exists.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.