Identity Toolkit (firebase auth) with OpenID connect provider and deleting users from provider

[Kostya Ostrovsky]

Hi

We are using Identity Platform to authenticate with Okta using OpenID connect provider.

The integration works fine, however the session seems to stay active despite blocking/deleting the user at the Identity Platform.

We have a web application that uses `firebase/auth` to authenticate.

Once authentication is successful the auth.onAuthStateChanged is triggered and a valid user is presented.

The id_token is valid. 

Once the session is established, we then proceeded to delete the user from the Okta application which revokes their access to authenticate (subsequent logins will fail).

Despite that, each time I refresh the application (even in intervals of 1 hour which is the TTL of the session) the id_token still remains

active and firebase auth assumes the user still has access to the application.

At what point will it realize that the user no longer exists at the IDP. Does firebase even bother to re-authenticate with the IDP once in a while? Is it possible to force re-authentication?

Code snippet:

```

auth.onAuthStateChanged((user) => {

   if (user) {

    // force token refresh!

     const idToken = await user.getIdToken(true);

     if (!idToken) {

        console.log("Logged in");

     } else {

        // ====> I'm expecting this to happen if I deleted the user from IDP, but it never does

        console.log("Expired")

     }

   }

})

```

[Sam Stern]

Hi Kostya,

Two things about Firebase Auth that are relevant here:

1. We never check in with the IDP after the initial sign in. It's more of a one-time exchange than an ongoing connection. So any changes to the user's identity with the IDP made after the Firebase sign-in event will not be detected.
2. Firebase sessions are based on an ID Token / Refresh Token pair. The ID token is valid for one hour and cannot be revoked. When you delete or disable a user their refresh token will be invalidated. So their session will continue for up to one hour based on their ID token, and then they will fail to get any more ID tokens and the session will expire.

- Sam

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/d1226a0d-6472-4ba8-8e6e-3b916dee34e1n%40googlegroups.com.

[Kostya Ostrovsky]

Thanks for the reply.

Regarding no 1.. thats too bad. Any plans to support it? I think it's an important aspect of a login system, otherwise I have to implement this logic myself. I would like the session to expire once the user was deleted from the identity provider Is that also true for SAML based/social (google, etc) authentications? 

Regarding 2.. I'm guessing you refer to deleting the user from Firebase Users store.

- Kostya

[Sam Stern]

Hi Kostya,

(1) No, there are no plans to change this behavior, it's been in place since about ~2016. If this is a dealbreaker for you, you may want to consider other authentication systems.

(2) Yes, I mean when the user is disabled or deleted in Firebase Auth.

- Sam

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/0f4e918b-ff69-47a7-8329-53e8cbb4fa3en%40googlegroups.com.

[Kostya Ostrovsky]

Just to clarify, is (1) true for SAML Providers too?

[Sam Stern]

Yes as far as I am aware this applies to all IDPs, however I should say that SAML providers are a GCIP-only feature and not a core feature of Firebase Auth so I am not as personally familiar with that part.

- Sam

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/576a1e94-fa02-4ac7-86ae-1777f371b84en%40googlegroups.com.