21

Say I generated an authentication token, and to save on processing and remote calls, I've set it's expiration data some 30 days in the future.

Now I want to remove this account from my system, is there a way to revoke the authentication token I have given the client?

I don't think that's possible currently, and I can certainly work around that (by not having such high expiration times mostly), but I just wanted to make sure I didn't miss something in the docs.

TTimo
  • 1,276
  • 1
  • 13
  • 20
  • See also: https://groups.google.com/forum/#!searchin/firebase-talk/revoke/firebase-talk/Th0HZs_jBNc/QO8xjOOjoU4J – Kato Feb 04 '14 at 23:23

4 Answers4

16

Firebase now offers the ability to revoke refresh tokens, it's quite fresh - added 04/01/2018. https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens

Alex Redwood
  • 198
  • 1
  • 7
  • 5
    This is a borderline [link-only answer](//meta.stackexchange.com/q/8231). You should expand your answer to include as much information here, and use the link only for reference. – Filnor Jan 05 '18 at 01:27
  • 1
    This is a very new feature and I believe most of us are reluctant to offer examples before we have fully implemented them ourselves. Here is my attempt: From here: https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens Edit: I will move this to its own answer, It seems I don't know how to put code blocks in comments. – Levi Feb 09 '18 at 16:51
7

You can't really revoke that specific token (outside of invalidating the secret that generated the token, but that will invalidate all other tokens issued by that secret too - probably not what you want).

You can, however, rely on some information that's specific to the token (perhaps you included a unique user ID as data in the token) and update your security rules to reject any operations that match that value.

Anant
  • 7,408
  • 1
  • 30
  • 30
  • 1
    this answer is outdated, plz consider updating it like below answer or removing it https://stackoverflow.com/a/48104953/846348 – OZZIE May 25 '21 at 12:46
5

Adding to @Alex Redwood's answer

This is the important part:

return admin.auth().revokeRefreshTokens(uid)
    .then(() => {
      // Get user's tokensValidAfterTime.
      return admin.auth().getUser(uid);
    })

The example in the documentation has all kinds of nuanced cases, like writing a timestamp to the database to prevent reads until the current token expires, very implementation specific cases. The important part is you call revokeRefreshTokens(uid) on the correct uid, and verify the userRecord has modified the userRecord.tokensValidAfterTime value. This will not expire your active tokens. So it is valuable to have short expiry times to shorten the attack window (A better solution than a database rule that checks a timestamp in my opinion).

From: https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens

Gary Kerr
  • 13,650
  • 4
  • 48
  • 51
Levi
  • 1,552
  • 1
  • 11
  • 10
  • 1
    How do you set expiry times? – thisismydesign Jan 20 '20 at 14:38
  • Firebase has an infinite window of time for it's refresh tokens. "Refresh tokens expire only when one of the following occurs: The user is deleted The user is disabled A major account change is detected for the user. This includes events like password or email address updates." From: https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens So a developer would have to write their own logic to revoke all tokens for a user at a particular time. – Levi Jan 20 '20 at 19:27
  • You wrote "So it is valuable to have short expiry times to shorten the attack window". I thought you're talking about ID tokens though. As those expire once per hour, even if refresh tokens are revoked. – thisismydesign Jan 21 '20 at 11:11
  • I have not used firebase for one reason or another on (new) projects since 2018. My (dated) understanding is when you revoke the refresh token, firebase will not allow a user to refresh the jwt token, so having a short expiry time on the jwt, (lets say 30min) we limit the attack time of an exfiltrated jwt to the expiry time of the jwt. So it is valuable to set short expiry times, if you have a way to revoke refresh tokens on suspicious activity. (Continuing in new comment) – Levi Jan 21 '20 at 13:47
  • Exactly. :) So my question is, how do you set a shorter expiry time on the JWT? – thisismydesign Jan 21 '20 at 13:54
  • Firebase is in a much better place today than it was before 2018 as far as jwt security. Today, you can also disable the user, to invalidate their jwt session: https://firebase.google.com/docs/reference/android/com/google/firebase/auth/FirebaseUser.html#exceptions So to summarize: * Revoke refresh tokens * Disable account for lifetime of expiry value * Reenable account Any compromised jwts should be handled, without deleting your user. – Levi Jan 21 '20 at 13:55
  • 1
    Oh got it, sorry for not explaining that in more detail initially. My post is generally assuming your application is using a custom token which allows for more control over your application. @thisismydesign here is a link to the documentation for creating a custom token: https://firebase.google.com/docs/auth/admin/create-custom-tokens A custom token is pretty much a requirement to get fine grained control of application security in firebase (and even then, it's still restrictive). – Levi Jan 21 '20 at 13:56
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/206360/discussion-between-thisismydesign-and-levi). – thisismydesign Jan 21 '20 at 14:19
2

Use the CLI:

firebase logout --token <token>

https://firebaseopensource.com/projects/firebase/firebase-tools/#using_with%20ci%20systems

Chris
  • 6,805
  • 3
  • 35
  • 50