Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to revoke an authentication token?

Tags:

firebase

firebase-security

Say I generated an authentication token, and to save on processing and remote calls, I've set it's expiration data some 30 days in the future.

Now I want to remove this account from my system, is there a way to revoke the authentication token I have given the client?

I don't think that's possible currently, and I can certainly work around that (by not having such high expiration times mostly), but I just wanted to make sure I didn't miss something in the docs.

like image 430
TTimo Avatar asked Feb 04 '14 18:02

TTimo

People also ask

Can we revoke access token?

Once issued, access tokens and ID tokens cannot be revoked in the same way as cookies with session IDs for server-side sessions. As a result, tokens should be issued for relatively short periods, and then refreshed periodically if the user remains active.

What does it mean to revoke a token?

A revoke token request causes the removal of the client permissions associated with the specified token used to access the user's protected resources. For more details on supported OAuth flows, see API Gateway OAuth 2.0 authentication flows.

How do you revoke a JWT token?

The most common way to revoke access to resources protected by a JWT involves setting its duration to a short period of time and revoking the refresh token so that the user can't generate a new token. This does not revoke the JWT per se; it does solve the root issue, which is to limit access.

How do you revoke a refresh token?

You can revoke a refresh token using the RevokeToken API operation. You can also use the aws cognito-idp revoke-token CLI command to revoke tokens. Finally, you can revoke tokens using the revocation endpoint. This endpoint is available after you add a domain to your user pool.

2 Answers

Firebase now offers the ability to revoke refresh tokens, it's quite fresh - added 04/01/2018. https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens

like image 144
Alex Redwood Avatar answered Oct 29 '22 04:10

Alex Redwood

You can't really revoke that specific token (outside of invalidating the secret that generated the token, but that will invalidate all other tokens issued by that secret too - probably not what you want).

You can, however, rely on some information that's specific to the token (perhaps you included a unique user ID as data in the token) and update your security rules to reject any operations that match that value.

like image 6
Anant Avatar answered Oct 29 '22 03:10

Anant
Sign in to Comment

Related questions

Send notification to only one user in firebase [closed]
How can I query and filter Firebase Realtime Database [duplicate]
Using Firebase with Electron
firebase query methods startAt() taking case sensitive parameters
Firestore security rules check if reference exists
@firebase/firestore: Firestore (5.0.4): Could not reach Cloud Firestore backend. Backend didn't respond within 10 seconds
How to throw an error on a Firebase callable cloud function?
How to handle states when logged in (Ionic, Firebase, AngularJS)?
Screen tracking support - Firebase 9.8
I want to hide all notifications of other apps when my Android app is in foreground. Is this possible? How?
Does/Will Google support NDK C++ crashes in Firebase Crash Reporting?
Call Google Play Developer API from Firebase Functions
LateInitializationError: Field '_userData@32329253' has not been initialized
FireBase - how to list user-specific data?
Using Firebase reauthenticate
How to get Google-Service.Json file in decompile apk?
Asynchronous access to an array in Firebase
Send push notification from server to android device in Java
When will Google stop supporting GCM?
disconnect() is deprecated: Please use the shouldEstablishDirectChannel property instead

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!