I think that would defeat the purpose of the revocation check. Revocation checks are useful when you wish to immediately detect when a user’s refresh token has been revoked. But if you don’t want an immediate response, then you’re better off with a regular ID token verification. It will start failing within the hour when the ID token naturally expires.

Alternatively you can implement a solution that runs verify_id_token(id_token) most of the time, but runs verify_id_token(id_token, True) once in a while. For each token you will have to maintain a map of id_token -> last_check_time and decide which check to run at any given time.

Written by

Software engineer at Google. Enjoys working at the intersection of cloud, mobile and programming languages. Fan of all things tech and open source.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store