[FR] auth: Allow expiry to be specified in .createCustomToken

[rhodgkins]

Is your feature request related to a problem? Please describe.

It would be good if you could specify the duration of time you would like the login token to be valid for. For our use at least, the result of .createCustomToken is mostly used immediately after being provided to the client, so we'd like to have a very short expiry time.

Describe the solution you'd like

Update .createCustomToken or a new method .createCustomTokenWithOptions that takes an expiry.

Describe alternatives you've considered

Using the details from create custom tokens using a third-party JWT library, but this seems a bit redundant when the SDK is so close to providing what is needed.

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[rhodgkins]

I realise this API change will probably need to go through the API council or something like firebase-tools does, but going to start a PR off for this anyway, going with the .createCustomTokenWithOptions for now...

[felansu]

+1 Good and needed idea

[hiranya911]

@bojeil-google this is really a product decision. WDYT? Should we expose an option to make the expiry time configurable?

[bojeil-google]

Ok, I checked with some folks. I think we can allow a range from [5min, 1hour] with 1 hour being the default.
1 hour is the maximum allowed on our backend token verifier. I suggest setting 5min as the lower limit to take into account clock skew issues, but in theory we can go down lower.

[hiranya911]

@bojeil-google do you want to start an API proposal or something for this?