Story of the Mysterious bnb:

Token ID, Refresh Token &

Session Cookie Explained

Tired of frequent logouts disrupting your app experience? - Learn authentication flow concepts through analogy

Once upon a time, in the heart of the serene countryside,there was a charming bnb hosted by a mysterious but friendly host named Alex. You decided to book a two-month stay to escape the city’s hustle and bustle and focus on writing your book. Upon your arrival, Alex greeted you warmly and handed you two crucial items:

• A Key Card
• A Physical Key

Day 1: Arrival

On the first day, the key card was all you needed to access your cozy room. It felt modern and convenient. You swiped the key card and entered your room.

Inside the room, you noticed a small, inconspicuous device mounted on the wall labeled

“Electricity Access Pass.”

Alex explained,

“To activate the electricity, you need to tap this device with your key card. This will grant you 14 days of uninterrupted power.”

Curious, you tapped the device with your key card. The device beeped, and the lights in your room flickered on. Your room was now powered up for 14 days, ensuring you had lights, heating, and charging capabilities throughout your stay.

After unpacking and ensuring everything was in order, you decided to explore the nearby attractions. You wandered through the picturesque surroundings, feeling secure knowing you could return with your key card.

That evening, you swiped the key card and entered without any issues. However, Alex had explained an important detail about the keys:

“Your key card works perfectly for the first 24 hours. After that, you’ll need to use the physical key first and then tap the key card to renew its validity for another 24 hours.”

Day 2: The Routine Begins

The next morning, you left to visit a local café. Before heading out, you used the key card to ensure it was still active, and it worked as it was still within the initial 24-hour period.

Returning from the café, you realized it had been over 24 hours since you first used the key card. The door didn’t open with just the key card. Remembering Alex’s instructions, you used the physical key first, then tapped the key card, renewing its validity for another 24 hours. Now, you could use the key card freely for the rest of the day.

Days 3 to 14: The Routine

Every day followed a similar pattern:

• Morning: You used the key card to leave for your daily adventures or writing sessions at the local library.

• Evening: If it had been more than 24 hours, you used the physical key first and then tapped the key card to renew its validity before entering your room.

This routine continued smoothly, ensuring you always had access to your room.

End of the First 14-Day Period

As the 14-day mark approached, you noticed the lights flickering again.

Alex reminded you,

“Your electricity access pass is about to expire. Remember, you need to tap the device with your active key card to renew it for another 14 days.”

You made sure to renew your key card’s validity using the physical key first. Then, with your active key card, you tapped the device, and the lights stabilized, ensuring uninterrupted power for the next 14 days.

Month 1: Settling into a Routine

The first month passed smoothly. You developed a routine:

• Daily: Renew your key card using the physical key and then tap the key card to extend its validity for another 24 hours.
• Biweekly: Renew your electricity access by tapping the device with your active key card every 14 days.

Your writing progressed well, thanks to the uninterrupted power and the serene environment.

Month 2: Focused Writing

As the second month began, you felt more settled and focused. The routine of renewing the key card daily and the electricity access every 14 days became second nature.

End of the Stay

As your two-month stay approached its end, you looked back at your time at the bnb with satisfaction. You had managed to make significant progress on your book, thanks to the stable and secure environment provided by Alex.

On your last day, you met Alex to return the keys. “Thank you for a wonderful stay,” you said. Alex smiled and replied, “I’m glad you had a productive time. Remember, if you ever need a quiet place to write, my door is always open.”

Understanding the Concepts through the Story

Firebase Token ID (Key Card):

The Key Card provides immediate access to your room, similar to how a Firebase Token ID grants authentication to access specific features or services in your application. However, just as the Key Card is initially valid for 24 hours, the Firebase Token ID has a short lifespan, typically around 1 hour. After this period, the Token ID expires and requires renewal to maintain access.

Firebase Refresh Token (Physical Key):

The Physical Key represents the Firebase Refresh Token. Unlike the Key Card, which has a limited validity, the Physical Key does not expire as long as it remains intact and the lock remains unchanged. You use the Physical Key to extend the Key Card’s validity for another 24 hours, ensuring continuous access to your room. Similarly, the Firebase Refresh Token is used to obtain a new Firebase Token ID when the old one expires.

Key Point: The Refresh Token cannot provide direct access but is used to renew or activate a new Token ID (Key Card). Just as you cannot use the Physical Key to directly open the door, the Refresh Token cannot be used to log in but instead refreshes the Token ID, allowing users to remain logged in without frequent re-authentication.

If the lock changes or the Physical Key is damaged, it becomes unusable. Similarly, if a user account is disabled or deleted, the Refresh Token becomes invalid, and the user would need to re-authenticate to regain access.

Session Cookie (Electricity Access Device):

The Electricity Access Device represents the Session Cookie. It provides continuous electricity for 14 days when tapped with a valid Key Card. Here, access to electricity symbolizes access to your database, which is essential for your work and comfort. Just as you need to renew the Key Card to keep the device activated, Session Cookies ensure continuous access to your database for a specified duration. They are refreshed periodically to maintain access, similar to how the Electricity Access Device needs periodic renewal to keep the power running.

Summary of the Analogy:

• Key Card (Firebase Token ID): Provides immediate access but has a short validity period (typically around 1 hour). It needs to be renewed periodically to maintain access.
• Physical Key (Firebase Refresh Token): Does not expire and is used to renew the Key Card’s validity and obtain a new Firebase Token ID. The Refresh Token itself cannot be used for direct access but activates or renews the Token ID.
• Electricity Access Device (Session Cookie): Ensures continuous access to your database (electricity) for a set period (e.g., 14 days) with a valid Key Card. It must be renewed periodically to maintain uninterrupted access, akin to how Session Cookies keep a user logged in for a longer period, requiring periodic renewal.

This analogy illustrates how Firebase’s authentication system operates: the Key Card (Token ID) provides direct access, the Physical Key (Refresh Token) helps keep the Token ID active, and the Electricity Access Device (Session Cookie) ensures ongoing access to your database for a prolonged period, with periodic renewals to maintain service.

Scaling concepts to other service providers

This story analogy applies across all major services: Token IDs, Refresh Tokens, and Session Cookies are standard tools in platforms like AWS Cognito, Auth0, and Okta, designed to balance security with a smooth user experience. These services use short-lived tokens for immediate access, refresh tokens for maintaining continuity, and session cookies to keep users logged in seamlessly. This structure ensures a scalable, secure, and user-friendly login experience across modern web and mobile applications.

References

• Photo by Fernando Santander on Unsplash