What is the difference between auth.uid and auth.token.sub in Firebase Realtime Database security rules

4
votes

What is the difference between auth.uid and auth.token.sub in Firebase Realtime Database security rules?

I assume they are the same (user has only 1 uid) but they have different descriptions, would love to know a definitive answer.

auth.uid : A unique user id, guaranteed to be unique across all providers.

auth.token.sub : The user's Firebase UID. This is unique within a project.

Cheers

2
firebasefirebase-realtime-databasefirebase-security

2 Answers

4
votes

They are exactly the same. auth.uid is provided for backwards compatibility (auth.token didn't used to exist in the Security Rules) and ease-of-use: sub is not a commonly understood term for an ID, whereas uid is a bit easier to understand and you don't have to dive into the token contents.

3
votes

auth.token.sub is the id encoding in a token. The Firebase Admin SDKs have a built-in method for verifying and decoding ID tokens. If the provided ID token has the correct format, is not expired, and is properly signed, the method returns the decoded ID token. You can grab the uid of the user or device from the decoded token.

So that mean inside the token.sub you have the uid of the user. But without the sdk you cannot see the real value cause is not decode. This is for security.

If you want to use this you need to decode this with example the verifyIdToken() method.

Example on Node.js

// idToken comes from the client app (shown above)

admin.auth().verifyIdToken(idToken)
  .then(function(decodedToken) {
    var uid = decodedToken.uid;
    // ...
  }).catch(function(error) {
    // Handle error
  });

Link here https://firebase.google.com/docs/auth/admin/verify-id-tokens

Hope that be helpful.