Firebase Custom Claims doesn't propagate

Asked 9/10, 2018 at 20:51 Answered 24/10, 2020 at 6:23

javascript firebase firebase-authentication angularfire2

I'm working in an Angular6 app with angularfire2. I'm setting the roles as custom claims in user creation, but it doesn't seem to propagate.

When I'm creating the user I send the userid, businessid and role to a cloud function:

bid > businessid

urole > role

req.body.uid > userid

  const customClaims = {
    roles: { [bid]: urole }
  }
  admin.auth().setCustomUserClaims(req.body.uid, customClaims)
    .then(result => {
      res
        .status(200)
        .send()
    })

The problem is when the call to cloud function finishes and I want to redirect the user to a route which requires the user to have the custom claim set, but it fails. After some debugging, I've found out that if run:

this.angularFireAuth.auth.currentUser.getIdTokenResult(true).then(result => {
      return result.claims.roles
    })

immediately after the call to the cloud function "result.claims.roles" is undefined, but if I refresh the page, "result.claims.roles" have the data I set before.

I've already tried the reload method, and getIdToken(true) but I'm getting the same problem.

Is there a way to avoid refreshing the page and get the custom claims?

Thank you!

Webbing answered 9/10, 2018 at 20:51 Comment(2)

Can you add the code where you make the call to HTTP trigger endpoint and then get the result? I just want to verify that the code waits for the result before calling getIDTokenResult(true). Also be sure to update your SDKs to the latest version, as rules for Cloud Firestore, Cloud Storage, and RTDB used to only updated when the uid changed, not when the token changed. – Yasui 9/10, 2018 at 21:3

Jen, this is the call I've made setting up the role: return this.http.post(${this.environment.backendHostUrl}/api/user/role

, {       uid: userId,       role: role,       business: business     }).pipe(       catchError(error => of(console.log(error)))     ).subscribe(response => {       debugger <--- I get: response = "null"     })

– Webbing 10/10, 2018 at 22:14

When the user is signed in, they get an ID token that is valid for about an hour. If you set a custom claim, their (server-side) profile is updated immediately, but their ID token is not auto-updated. So you'll need to refresh their ID token to get the new custom claims.

As far as I know this ID token is only refreshed by calling getIdTokenResult if it has expired. If that's the cause, calling user.reload() and then getting the ID token should give you the updated claims.

Commit answered 10/10, 2018 at 3:32 Comment(5)

I've made this modification but I still don't get the roles set before:

return this.angularFireAuth.auth.currentUser.reload().then(() => {       return this.angularFireAuth.auth.currentUser.getIdTokenResult(true)     });

However I get them if I refresh the page manually. PS: I added getIdTokenResult(true) to force refresh the token. – Webbing 10/10, 2018 at 22:9

Hmm... I'm not sure why that wouldn't work in that case. Sorry about that. – Commit 10/10, 2018 at 23:0

You will need to force refresh (pass true) to make sure the latest claims are up to date after you set custom claims from the admin SDK. – Backset 15/10, 2018 at 21:57

Hey @bojeil. What method do we need to call for that force refresh? OP calls getIdTokenResult(true), which doesn't seem to give them the new claims. – Commit 15/10, 2018 at 22:57

That is strange. getIdTokenResult(true) should force refresh and update the latest claims. Unless the user was initially signed in with a custom token. In that case the custom token claims will always override the external ones set via admin sdk. – Backset 16/10, 2018 at 23:10

For me it simply worked taking the advice from one of the comments:

// --------
// Frontend
// --------

// Triggering the cloud function
const url: string = 'url-to-your-cloud-function'
await this.http.post<unknown>(url, {}).toPromise();


// After cloud function was run and custom claim was set -> refresh the id token
// The 'currentUser' is a reference to the firebase user
await this.authService.currentUser.getIdToken(true);

// --------
// Cloud Function - createSubscription
// --------

const createSubscription = () => {  
  await admin.auth().setCustomUserClaims(userId, {
    subscriber: true
  })
}

Arctogaea answered 24/10, 2020 at 6:23 Comment(0)

Recommended topics

Hot tags