Firebase Admin API needed for user management and token revocation

[Trout]

Hi,

I see many posts asking for a programmatic user management api so consider this another +1 and hope its coming soon as we start to push out our first firebase app and would really benefit from this.  Most importantly we need to be able to revoke people's access to firebase programmatically.  We're currently using Auth0 as our authentication provider and performing a delegation request to get a firebase token.  All works great, however we have a process in which certain devices manage authentication with Auth0 using a refreshtoken so the user never has to login again (https://auth0.com/docs/refresh-token).  This works great but from a security standpoint you also need to be able to revoke these tokens in case they get compromised.  For this case Auth0 provides a mechanism for doing that via their management api (https://auth0.com/docs/api/management/v2#!/Device_Credentials/delete_device_credentials_by_id).  This also works great however we discovered during this process that revoking an Auth0 refreshtoken does not also invalidate your access to firebase.  This is because Firebase has it's own JWT from the google identity toolkit that it manages under the hood and appears to have it's own expiration of 60 minutes for its idtoken.  We found that a google identity refreshtoken is also available under the hood and is used to auto refresh the id token for firebase during these 60 minute windows.  It appears that changing the token expiration time for the Auth0--> Firebase delegation token has no affect on the token that firebase ends up using from the identity toolkit.  We did some research but have not found a way we can programmatically revoke someone's firebase token - this seems to be a concerning security hole.  

Any recommendation on how we should be handling this?  

Any update on an admin API and will this admin API allow revoking someone's firebase token that will force them to login again?  

Regards,

Mark

[Kato Richardson]

Hi Mark,

Can you provide the X part of the XY problem? What's the use case we're trying to resolve here where users need to be kicked out instantly even when they have valid authentication?

If it's database access, you can invalidate that at any time by writing a value to the database, without worrying about when the auth token will expire:

".read":  "auth.uid === <some uid to match> && root.chlid("access_allowed/" + auth.uid).val() === true"

If it's storage, you can use security rules in the same manner. If it's a server-side script, you can still use the database approach (have them write to the database and read that on your server rather than a REST API, or look up the database setting before granting any privs).

☼, Kato

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/90290296-1426-4067-95d3-3dfb8224428c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Kato Richardson |

Developer Programs Eng |

kato...@google.com |

775-235-8398

[Jacob Wenger]

Just to tack on to Kato's response, I wanted to speak to your question about a programatic way to revoke someone's session.

First, a quick TL;DR on how the Firebase client auth tokens work. There are two types of tokens on the client: ID tokens and a refresh token. ID tokens are short-lived (one hour) tokens which are used to communicate with services such as the Realtime Database and Storage. The refresh token is a long-lived token used to exchange one ID token for a fresh ID token every hour. To invalidate a user's session, you need to revoke the long-lived refresh token. Even after the refresh token is revoked, the current ID tokens are still valid until their expiration time since they cannot be revoked. However, since the ID tokens are short-lived, all sessions will be truly killed after at most one hour of revoking a refresh token as the refresh token will no longer be able to exchange for a fresh ID token.

There is no externally exposed API for revoking refresh tokens at present. Internally, our backend will revoke refresh tokens (and therefore log out all clients) when a user is deleted or their email or password is changed. We plan to provide some form of admin API for revoking refresh tokens at some point in the future, but there are a few things blocking that and I would not expect it for a while.

Hopefully that gives you some idea of how things work and what is and isn't possible with our existing APIs. If I didn't explain things well enough, let me know and I'll try to give it another pass.

Cheers,

Jacob

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CADypTEYFKcDeNOp%2BUCKP_PcYW%2BW5i2hLCNpqmhjoKWm2Ks5DsQ%40mail.gmail.com.

[Ryan Mills]

Hi Jacob,

Thanks for the detail here. Can I confirm this also applies to custom minted tokens? Do they expire after 1 hour too?

Ryan

On Thursday, September 1, 2016 at 4:41:52 AM UTC+10, Jacob Wenger wrote:

Just to tack on to Kato's response, I wanted to speak to your question about a programatic way to revoke someone's session.

First, a quick TL;DR on how the Firebase client auth tokens work. There are two types of tokens on the client: ID tokens and a refresh token. ID tokens are short-lived (one hour) tokens which are used to communicate with services such as the Realtime Database and Storage. The refresh token is a long-lived token used to exchange one ID token for a fresh ID token every hour. To invalidate a user's session, you need to revoke the long-lived refresh token. Even after the refresh token is revoked, the current ID tokens are still valid until their expiration time since they cannot be revoked. However, since the ID tokens are short-lived, all sessions will be truly killed after at most one hour of revoking a refresh token as the refresh token will no longer be able to exchange for a fresh ID token.

There is no externally exposed API for revoking refresh tokens at present. Internally, our backend will revoke refresh tokens (and therefore log out all clients) when a user is deleted or their email or password is changed. We plan to provide some form of admin API for revoking refresh tokens at some point in the future, but there are a few things blocking that and I would not expect it for a while.

Hopefully that gives you some idea of how things work and what is and isn't possible with our existing APIs. If I didn't explain things well enough, let me know and I'll try to give it another pass.

Cheers,

Jacob

On Fri, Aug 26, 2016 at 11:07 AM, 'Kato Richardson' via Firebase Google Group <fireba...@googlegroups.com> wrote:

Hi Mark,

Can you provide the X part of the XY problem? What's the use case we're trying to resolve here where users need to be kicked out instantly even when they have valid authentication?

If it's database access, you can invalidate that at any time by writing a value to the database, without worrying about when the auth token will expire:

".read":  "auth.uid === <some uid to match> && root.chlid("access_allowed/" + auth.uid).val() === true"

If it's storage, you can use security rules in the same manner. If it's a server-side script, you can still use the database approach (have them write to the database and read that on your server rather than a REST API, or look up the database setting before granting any privs).

☼, Kato

On Fri, Aug 26, 2016 at 8:09 AM, Trout <ma...@pristine.io> wrote:

Hi,

I see many posts asking for a programmatic user management api so consider this another +1 and hope its coming soon as we start to push out our first firebase app and would really benefit from this.  Most importantly we need to be able to revoke people's access to firebase programmatically.  We're currently using Auth0 as our authentication provider and performing a delegation request to get a firebase token.  All works great, however we have a process in which certain devices manage authentication with Auth0 using a refreshtoken so the user never has to login again (https://auth0.com/docs/refresh-token).  This works great but from a security standpoint you also need to be able to revoke these tokens in case they get compromised.  For this case Auth0 provides a mechanism for doing that via their management api (https://auth0.com/docs/api/management/v2#!/Device_Credentials/delete_device_credentials_by_id).  This also works great however we discovered during this process that revoking an Auth0 refreshtoken does not also invalidate your access to firebase.  This is because Firebase has it's own JWT from the google identity toolkit that it manages under the hood and appears to have it's own expiration of 60 minutes for its idtoken.  We found that a google identity refreshtoken is also available under the hood and is used to auto refresh the id token for firebase during these 60 minute windows.  It appears that changing the token expiration time for the Auth0--> Firebase delegation token has no affect on the token that firebase ends up using from the identity toolkit.  We did some research but have not found a way we can programmatically revoke someone's firebase token - this seems to be a concerning security hole.  

Any recommendation on how we should be handling this?  

Any update on an admin API and will this admin API allow revoking someone's firebase token that will force them to login again?  

Regards,

Mark

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/90290296-1426-4067-95d3-3dfb8224428c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Kato Richardson |

Developer Programs Eng |

kato...@google.com |

775-235-8398

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

[Jacob Wenger]

Yes, custom tokens also have a maximum of one hour expiration time (or less, if you choose to use a lower expiration time). However, it's important to note that when you sign in a client with a custom token via signInWithCustomToken(), that client will be authenticated indefinitely even though the original custom token expires after an hour. This is because we use the custom token to get a refresh / ID token pair and refresh the ID tokens under the hood on your behalf every hour. The custom token is just need to bootstrap this process.

Cheers,

Jacob

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/f5b635ca-b5e6-42b2-b5a5-1679a366fb8f%40googlegroups.com.