Reputation: 1612
Sign out user via REST HTTP API
I can sign in users to Firebase using this HTTP API:
How do I sign out users, so that the Firebase idToken and refreshToken can no longer be used?
Also, how long is the refreshToken valid for?
If my user does not use my app for weeks, can I still use the refreshToken or will I need to get a fresh Google Sign In idToken and exchange it for a Firebase (idToken, refreshToken) pair via the /identitytoolkit/v3/relyingparty/verifyAssertion API?
Upvotes: 4
Views: 3251
Answers (2)
Reputation: 1021
The client cannot directly revoke the ID token via the REST API, but both the Firebase Auth client SDKs (ex: Android) and the Auth Admin SDK do support it. So if your client platform isn't supported, but you are able to create a small server implementation (maybe through Firebase/Cloud Functions), you can create an HTTP endpoint that triggers ID token revocation.
Upvotes: 2
Reputation: 22306
I don't believe there is a sign out endpoint. You could try doing a redirect to https://accounts.google.com/Logout but I suspect that is signing out from all Google services which might not be a great idea.
The whole point of Refresh Tokens is that they can be used to access resources whether or not the user is present and signed in, so your comment "How do I sign out users, so that the Firebase idToken and refreshToken can no longer be used" is an oxymoron.
A Refresh Token is theoretically valid until a user specifically revokes it, but your app should code for the possibility that Google has expired it.
Upvotes: 3
Related Questions
- How to add SignOut option in firebase
- How to "sign out" of firebase with firebase rest api
- Sign out from Google Account using Firebase Authentication
- How to make a user sign out in Firebase?
- Logout from google after login out from firebase
- Firebase auth and sign out
- Google sign out button using Firebase
- Signout Firebase
- Signing out using Firebase
- Signing out using Firebase and Android