Respond to token revocation on the client

[Mark Stuart]

Hi, I am working with a Firebase authentication implementation on a production site. 

Looking at user management with the Admin SDK, I was reading the guides here: https://firebase.google.com/docs/auth/admin/manage-sessions#respond_to_token_revocation_on_the_client

The guide is very unclear on how the example function should be used, but appears to infer that the clientside firebase-js-sdk should receive an event when a logged in users refresh token is revoked using the admin SDK. This does not appear to work in practice.

I am listening to events on the onIdTokenChanged emitter (https://firebase.google.com/docs/reference/js/firebase.auth.Auth#onIdTokenChanged) as it states that this emits refresh events, but I do not see anything happen when triggering the revocation from the admin SDK for the user that is logged in to the site.

Any ideas on how this should be achieved?

Cheers,

Mark

[Bassam]

Hey Mark,

The event triggering mechanism has to be built using something like real time database/Firestore to trigger the event. This is if you require client side real-time detection.

I think it should be clarified in the doc. Basically you would need to listen to Database changes on the metadata/$user_id node to detect the invalidation. Note this is the node you update when you revoke the token.

Otherwise, the token will naturally expire at the end of its 1 hour lifetime. Any request after that which requires an ID token would be rejected (that session will be unable to get a new ID token).

If you are including other Firebase services like Database/Firestore in your application which proactively refresh token on expiration, the onIdTokenChanged listener will trigger then (when these services try to refresh the token and fail, causing the user to sign out automatically).

Best regards,

Bassam

[Mark Stuart]

Ah... I did wonder if this was the case, there was some information on that same guide about detecting auth changes in the real time database, but it didn't seem to be linked to the section with around responding to auth token revocation explicitly.

Thanks so much for clarifying that Bassam, hopefully the docs will be improved around this feature.

Cheers,

Mark

[Mark Stuart]

In our application, we are really only using Firebase for login/logout and getting user information. If we were to revoke the token using the admin sdk we wouldn't normally be making any "request after that which requires an ID token" on the clientside. Would one approach to this be to call user.reload() on a schedule to enforce that the user was legitimately still logged in? We would then see a null user come into the onIdTokenChanged listener, and log the user out.

Obviously long polling like this is not ideal, but I just want to validate that it should work in the short term.

Cheers,

Mark

On Wednesday, 21 March 2018 10:29:10 UTC+13, Bassam wrote:

[Bassam]

Polling is expensive and inefficient.

The recommended and least expensive approach (if you don't want to use Realtime Database) is basically leave it for this to be detected when needed (when you need to make a request that requires authentication).

So you can either wait for the user to make a request that requires authentication (by passing the ID token). When you call getIdToken() it will refresh underneath and if revocation is detected, automatically logout the user.

Another approach is to do it server side. This could allow you to detect before the ID token is refreshed using admin sdk by calling verifyIdToken(idToken, true) but only when a request is sent.

Worst case, you could proactively refresh the token (provided the app is in foreground) whenever it expires (every hour) which would detect the invalidation in the process.

Bassam