Firebase Auth Logs - GCP

Asked 13/12, 2018 at 13:18 Answered 8/1, 2021 at 23:17

Solved firebase google-cloud-platform firebase-authentication google-cloud-firestore google-cloud-stackdriver

Is possible to retrieve the logs about when a user is log-in or log-out to the platform? And also send them to stackdriver as Cloud Functions logs? thanks

Labyrinth answered 13/12, 2018 at 13:18 Comment(0)

Is possible to retrieve the logs about when a user is log-in or log-out to the platform?

Unfortunately, Firebase does not provide such informations. To solve this, you should create your own mechanism to keep track of users log-in and log-out.

Individuate answered 13/12, 2018 at 14:11 Comment(4)

Is this still the case? Is Firebase Auth login at least rate limited to prevent brute force guessing of passwords? – Extensometer 24/10, 2020 at 3:50

@Extensometer Yep it's still the case. – Individuate 24/10, 2020 at 7:35

So could someone use Firebase Auth SDK to guess a password 1 million times? – Extensometer 24/10, 2020 at 13:12

To secure your database, you can use Cloud Firestore Security Rules. – Individuate 24/10, 2020 at 13:20

Update as of 03/27/2023

Activity Logging can only be enabled for "Firebase Authentication with Identity Platform" with a billing account attached and can not be enabled for "Firebase Authentication Legacy" (projects that haven't upgraded to Identity Platform). Those docs enable logging for the Identity Toolkit API (identitytoolkit.googleapis.com).

Once upgraded to "Firebase Authentication with Identity Platform" you can enable Activity logging via the REST API (instructions below) or via Firebase or GCP Cloud Console.

"Firebase Authentication Legacy" projects were able to able to enable Activity Logging before 03/27/2023 and that behavior will continue to persist, but new requests to enable Activity Logging will now fail.

NOTE: Activity Logging that was enabled on a "Firebase Authentication Legacy" project before 03/27/2023 will not enable Google Cloud Identity Platform for the project, so your project will continue to be subject to Firebase Auth Billing and not Google Cloud Identity Platform Billing.

One of the easier ways for you to retrieve the auth token for the REST command is to have a project owner use OAuthPlayground and authorize the Identity Toolkit API v3 scopes

After enabling Activity Logging you will be able to view these logged operations in Google Cloud Logging. Now you will be able to see successful and unsuccessful login requests e.g. SignInWithPassword for email+password auth and SignInWithIdp for federated sign-in requests like Google SignIn. One way to view requests for a specific user you could filter the logs to only include a specific jsonPayload.response.email

One thing to be aware of is that if you have a large number of users, or really significant activity on your project, you might also want to specify exclusions to minimize cost/traffic/noise.

Magnitogorsk answered 8/1, 2021 at 23:17 Comment(6)

Thanks! Had trouble understanding where to get the auth token and your answer with screenshot was helpful. – Plessor 1/2, 2021 at 1:19

This was incredibly helpful and should probably be part of the docs – Birgit 24/8, 2021 at 4:3

where do I get the auth-token for the REST request to enable the logging? – Cyme 20/9, 2021 at 9:46

After enabling the Identity ToolKit API v3 scopes in OAuthPlayground, hit the "Authorize APIs" button. That will bring up an OAuth consent screen, accept all that is presented. Then back in the OAuthPlayground UI you will be prompted to select the "Exchange authorization code for tokens" button in Step 2. After selecting the Step 2 dropdown will be populated with an access token that starts with ya29. copy that and use in the Identity Toolkit REST API call. – Magnitogorsk 21/9, 2021 at 19:49

This should be the accepted answer – Equivalency 17/11, 2021 at 2:27

Thank you - had already aborted a few attempts trying to figure this out. This answer really should be in the official docs! – Mardis 15/3, 2023 at 17:18