samtstern
commented
5 years ago @gbenthomas this is a good question. Firebase tokens are JWT ID tokens and there is no way to remotely "revoke" them. They expire after an hour by default. And you're right, the client can keep getting a new token every hour as long as the refresh token is valid.
If you detect that the user's OAuth credentials are valid and you want to block them from getting another Firebase token, you can disable the user (call update and set disabled to true):
https://firebase.google.com/docs/auth/admin/manage-users#update_a_user
Disabling is better than deleting here because the user will not simply be able to sign up again using the same email, they will be blocked from signing in / signing up / refreshing tokens until you re-enable the user.
Are there any standard implementations for revoking the Firebase token if the user no longer has access in the 3rd party authentication provider which was used to create the custom token?
We use an internal OAuth provider for authentication and would like to use Firebase along with it. However, I can't find any documentation on standard practice for revoking the Firebase token if the OAuth provider revokes access to the user. It looks like the client can indefinitely keep refreshing the Firebase token once they authenticate with the 3rd party provider just once.