Firebase Id Token vs Access Token

In Firebase, the ID token and the access token serve different purposes, though they are both involved in authentication and authorization processes. Here's a detailed comparison:

Firebase ID Token

• Purpose: Authenticates the user.
• Contents: Contains user identity information and claims.
• Usage:
  • Used to authenticate requests to Firebase services such as Firestore, Realtime Database, and Firebase Cloud Messaging.
  • Can be verified to ensure the user's identity and access level.
• Lifespan: Typically valid for one hour.
• Structure: JSON Web Token (JWT).
• Example Use Case: When a user logs into your app, Firebase Authentication generates an ID token that you can use to verify the user on your backend server.

Access Token

• Purpose: Authorizes the application to access resources.
• Contents: Contains scopes and permissions granted to the application.
• Usage:
  • Used to access resources on behalf of the user from third-party services (e.g., Google APIs).
  • Includes permissions that specify what the application is allowed to do.
• Lifespan: Short-lived, typically a few minutes to an hour.
• Structure: Opaque string or JSON Web Token (JWT).
• Example Use Case: When an application needs to access Google Drive or Calendar API on behalf of the user, it uses an access token.

Differences and Use Cases

1. Purpose:

   • ID Token: Primarily for user authentication and to identify the user. Used to secure interactions with Firebase services.
   • Access Token: Primarily for authorizing applications to access external APIs or resources.

2. Contents:

   • ID Token: Includes user identity information, custom claims, and metadata.
   • Access Token: Includes scopes, permissions, and access rights.

3. Verification:

   • ID Token: Can be verified by Firebase Admin SDK to ensure the user's authenticity and claims.
   • Access Token: Typically verified by the resource server (e.g., Google API server) to grant access to resources.

Example Workflow in Firebase

1. User Signs In:

   • User signs in using Firebase Authentication (e.g., with email/password, Google Sign-In).
   • Firebase Authentication issues an ID token.

2. Accessing Firebase Services:

   • The ID token is used to authenticate requests to Firebase services like Firestore, ensuring that the request is made by an authenticated user.

3. Accessing Third-Party APIs:

   • If the application needs to access Google APIs on behalf of the user, an OAuth flow is initiated.
   • The user grants permission, and an access token is issued by Google.
   • The access token is used to make authorized requests to Google APIs.

Practical Example

• Firebase ID Token:

  firebase.auth().currentUser.getIdToken(/* forceRefresh */ true).then(function(idToken) {
    // Send token to your backend via HTTPS
    // ...
  }).catch(function(error) {
    // Handle error
  });
  

• Access Token (OAuth 2.0):

  // Example using Google Sign-In for OAuth 2.0 access token
  var provider = new firebase.auth.GoogleAuthProvider();
  firebase.auth().signInWithPopup(provider).then(function(result) {
    // This gives you a Google Access Token.
    var token = result.credential.accessToken;
    // Use the token to access Google APIs
  }).catch(function(error) {
    // Handle error
  });