Firebaseui-web: Require username, password and two factor authentication every sign in

Created on 9 Jan 2018  路  4Comments  路  Source: firebase/firebaseui-web

Version
firebase 4.8.0
firebaseui 2.5.1
Ionic 3.9.2

Observed behaviour

1, User logs in with Google account in FirebaseUI-web

  1. User logs out firebase.auth().signOut()
  2. User goes back to firebaseUi and can login with previously used Google account without passport prompt or two factor authentication, even if I switch off "Don't ask again on this computer." from two factor authentication prompt. (Huge security risk, for example, in internet cafes)

Desired behaviour

  1. User logs in with Google account in FirebaseUI-web
  2. User logs out firebase.auth().signOut()
  3. User goes back to firebaseUi, user has to write email, password ( and two factor authentication, if enabled).

Current implementation

ionViewDidLoad(){
  this.ui = firebaseui.auth.AuthUI.getInstance();
  this.ui = new firebaseui.auth.AuthUI(firebase.auth());
  this.ui.disableAutoSignIn();
  this.ui.start('#firebaseui-auth-container', this.getUiConfig());
}

getUiConfig() {
  return {
    callbacks: {
      signInSuccess: (currentUser, credential, redirectUrl) => {
        this
          .navCtrl
          .setRoot('OverviewPage');
        return false;
      }
    },
    signInOptions: [
      {
        provider: firebase.auth.GoogleAuthProvider.PROVIDER_ID,
        customParameters: {
          prompt: 'select_account' //without this user does not even have to choose used account
        }
      }
    ],
    credentialHelper: firebaseui.auth.CredentialHelper.NONE, //seems to have no effect
    tosUrl: '<your-tos-url>'
  };
picture JarmoKukkola

Most helpful comment

Thank you so much for the help. It solved my problem.

Could you, please, add this to the docs? I think that some other developers might be interested in your solution also. You can even logout and redirect to your desired web address with the following link:

https://www.google.com/accounts/Logout?continue=https://www.google.com

picture JarmoKukkola on 10 Jan 2018
👍4

All 4 comments

Firebase Auth does not support multi-factor authentication. FirebaseUI cannot support this feature until the underlying SDK supports it. For 2-factor auth, 2 credentials need to be passed to get a Firebase ID token. Currently, one is enough to get an ID token. Please file an official request for multi-factor auth with Firebase support: https://firebase.google.com/support/

bojeil-google picture bojeil-google on 9 Jan 2018
1

Thanks you for quick answer. Multi-factor authentication itself works fine with Google account and FirebaseUI, if it is enabled from Google settings (https://myaccount.google.com/signinoptions/two-step-verification/enroll-welcome).

However, the problem enables logging in without re-entering username and password even if the user has logged out.

JarmoKukkola picture JarmoKukkola on 9 Jan 2018

This works as expected (all OAuth providers work like that). If you want to sign out from Google, you have to do it separately, on Firebase sign out, you need to redirect to the google sign out URL: https://accounts.google.com/Logout

bojeil-google picture bojeil-google on 9 Jan 2018
👍2

Thank you so much for the help. It solved my problem.

Could you, please, add this to the docs? I think that some other developers might be interested in your solution also. You can even logout and redirect to your desired web address with the following link:

https://www.google.com/accounts/Logout?continue=https://www.google.com

JarmoKukkola picture JarmoKukkola on 10 Jan 2018
👍4
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ee92 picture ee92  路  4Comments
cdharris picture cdharris  路  5Comments
MichaelFromin picture MichaelFromin  路  5Comments
joshkuhar picture joshkuhar  路  5Comments
rene-dohan picture rene-dohan  路  5Comments