[FR]: Admin SDK should have a way to generate a session cookie without an ID token, or SDK should have a way to generate ID tokens

Describe the solution you’d like Currently, to generate a session cookie, an ID token is needed. This ID token can only be generated by the client SDK through a “sign in” method like signInWithEmailAndPassword or signInWithCustomToken, then this ID can be sent over to a backend (ex: a cloud function) and there a session cookie is generated. The problem is that we need frontend logic for this which is quite cumbersome to do if I want to manage cookies server side and not leak any logic to the frontend (expect calling a single endpoint with the user credentials), as well as not dealing with cross site request forgery by using the sameSite cookie flag.

To do this, I would like a way to generate a session cookie without having an ID token, for example: user.generateSessionCookie(sessionCookieOptions) or admin.auth().generateSessionCookie(uid/UserRecord/cutomToken, sessionCookieOptions)

Describe alternatives you’ve considered One alternative that I’m going to have to take is to call the endpoint described in this link: https://firebase.google.com/docs/reference/rest/auth/#section-verify-custom-token. To exchange a custom token with an ID token and use this ID token to generate a cookie session that can last up to two weeks. Having to do this:

1. get user (login with credentials/create new user);
2. generate custom token;
3. call endpoint to exchange for an ID token;
4. generate session cookie with ID token;
5. Use session cookie.

Is quite messy, not to mention that it’s strange that we don’t have a good way to do this yet. I also thought about using the client SDK on the server side, but the login methods are rate limited and I think I’d hit that limit quickly if I call it from a single or a few dozen server instances.