Update specific firebase auth session custom claims

Question

i m using firebase auth in my app.

auth methods : custom auth and google sign in. user can login using any of the two.

user can have multiple auth sessions running in multiple devices.

now when the user logs in using custom auth then i set some custom claims[session id] while sending the custom auth token.

QUESTION

in case user signs in using google signin how do i make sure that the custom claim is only applied to specific session [using admin sdk to update custom claims] ?

use case : every session has a unique id so that it can subscribe to it and once the session id deleted from any other device the user gets log out automatically.

thnx in advance 🙏🙏🙏

Answer 1

This is not a use case supported by Firebase Authentication. Custom claims are attached to a user account, and will appear whenever that user signs in. They are not related to a user session, and are not temporary. If you need some sort of per-session permissions, custom claims are not going to help you out here.

Answer 2

It does appear to be possible to have something similar to per-session custom claims using Custom Tokens, and the custom claims will be "temporary" (not persisted on the Firebase user object).

1. Authenticate the user on the frontend using the typical Firebase process (Google Sign-In, email/password, etc.)
2. Send the token to your backend and validate it
3. Mint a custom token with the desired custom claim using the Firebase Admin SDK
4. Send the custom token to the frontend
5. Re-authenticate the user using signInWithCustomToken()

I've found this to be particularly useful when temporarily elevating or modifying a user's permissions (e.g. an admin performing a restricted action on behalf of another user).