I am trying to sign out the account of a user in multiple devices in which it is active.
For this, in my backend, I am doing:
async function deleteAccount(userId) {
// Close all the current active sessions
await closeAllUserActiveSessions(userId);
return auth.deleteUser(userId);
}
async function closeAllUserActiveSessions(userId) {
await auth.revokeRefreshTokens(userId);
const userRecord = await auth.getUser(userId);
const timestamp = new Date(userRecord.tokensValidAfterTime).getTime() / 1000;
functions.logger.log(`Tokens revoked at: ${timestamp}`);
}
I supposed that, after calling auth.revokeRefreshTokens(userId)
the account would be automatically signed out on all devices, but that's not the case.
Is it possible to sign out all sessions? What's the use of auth.revokeRefreshTokens(userId)?
I am just trying to logout my user account (from all devices) when the user changes its password or deletes it account... Any ideas?
CodePudding user response:
The behavior you're seeing is as expected: ID tokens are bearer tokens and cannot be revoked once they are minted.
If you want existing ID tokens to be rejected after revoking the refresh token, you'll need to detect the revocation in each backend service that uses the ID tokens to establish the caller's identity.
There is no direct notification to the other clients when a user changes their password, so you'd have to send such a notification yourself.