Firebase: Revoking auth tokens with Admin SDK
When a user signs in to a Firebase app, Firebase issues an ID token and a refresh token to that user. The ID token grants the user access to various services such as the Realtime Database. It is therefore sent along with all the Firebase API calls made by the app on behalf of the user. The ID token can also be sent to custom backend services associated with the app, where it can be verified using the Firebase Admin SDK. To reduce the damage that can be caused by compromised ID tokens, they have a validity period of only one hour. After this, the app must obtain a new ID token from Firebase by presenting the refresh token issued earlier. Firebase client SDKs handle this flow under the hood.
But what if the refresh token itself gets compromised? This usually happens when a device with an authenticated app instance gets misplaced or stolen. Ideally, we need a way to revoke the refresh tokens of specific users as they report incidents with potential security implications.
Firebase Admin SDK can help with this requirement. You can use the new refresh token revocation API in the Admin SDK to implement administrative tools, serverless event handlers and web services that can revoke the refresh tokens issued to users. Listing 1 shows a Python (Flask) HTTP route that revokes the refresh tokens of a given user. The same API is now available in Node.js, Java and Go. This operation requires that the server on which it is executed has its clock synchronized.
Once a refresh token has been revoked this way, it cannot be used to obtain new ID tokens. Therefore in time users will be prompted to sign in again, and obtain a new pair of ID and refresh tokens. However, any ID tokens issued before the refresh tokens were revoked will remain valid until the ID tokens naturally expire in at most one hour. Listing 2 shows how to update your custom backend services to check if a given ID token was issued before the refresh tokens of the corresponding user were revoked.
The official documentation explains another solution where the above check is performed using Firebase security rules. This requires saving the token revocation time to the Firebase Realtime Database, and then modifying the security rules to compare the ID token issue times against the revocation times stored in the database. The token revocation time of a user can be obtained from the Admin SDK, by retrieving the UserRecord associated with that user.
There are other times when we might want to consider revoking the refresh tokens of a user. These include terminating (deleting) a user account, and changing a user’s password. However, in such scenarios Firebase automatically handles the token revocation. As an app developer you only need to consider performing a token revocation when there’s a clear and present security risk involving user authentication sessions.
Go through the Admin SDK documentation for more details and code samples related to this feature. Let me know if you have any questions or suggestions for further improving it. Happy coding with Firebase!