javaandroidfirebasefirebase-authenticationgoogle-signin

What does revoking/unlinking an auth provider in Firebase Authentication do?

I have added Firebase Auth to my Android app and enabled Google sign in as well as added options to Link account, unlink account and revoke access to account. But I have a few questions how these features work with Firebase Auth.

  1. When I revoke account access, in the Firebase Auth page, Google is still there as an Auth provider. I can still log in into my app with the account that I have just revoked. So what exactly does Revoking Account Access do?

  2. When I unlink my Google account from Firebase Auth, Google is not there as the auth provider. However, I can still log in using the same Google account and have access to the same Firebase Auth account! Why does this happen even if the Google account is unlinked? Surely it should make a new account as it shouldn't have access to the old unlinked one? So what does Unlinking do if they can still log in using the unlinked Google account?

The only way I have found to make a new account in Firebase Auth using the same Google Sign in account is by deleting the old account. This is where my third question arises.

  1. If my user has logged in using their Google Account to sign in to their first account in my app, and they would want to unlink their Google Account sign in from their first account, it in order to create a second account and link the same Google Account sign in to that second account. However, is this possible if the user doesn't want to delete their first account? Because this error happens com.google.firebase.auth.FirebaseAuthUserCollisionException: This credential is already associated with a different user account.. So is it possible to fully remove the credential from the first account without deleting it?

Code for unlinking (From: https://firebase.google.com/docs/auth/android/account-linking#unlink-an-auth-provider-from-a-user-account):

mAuth.getCurrentUser().unlink("google.com").addOnCompleteListener(new OnCompleteListener<AuthResult>() {
                    @Override
                    public void onComplete(@NonNull Task<AuthResult> task) {
                        updateUI(mAuth.getCurrentUser());
                    }
                });

Code for revoking (From line 171 of: https://github.com/firebase/quickstart-android/blob/e8743a69ae3e21b66414fe9890b0dffaac20ff1d/auth/app/src/main/java/com/google/firebase/quickstart/auth/java/GoogleSignInActivity.java):

// Firebase sign out
        mAuth.signOut();

        // Google revoke access
        mGoogleSignInClient.revokeAccess().addOnCompleteListener(this,
                new OnCompleteListener<Void>() {
                    @Override
                    public void onComplete(@NonNull Task<Void> task) {
                        updateUI(null);
                    }
                });
Solution

  • 1 revoke account access means you are revoking refresh tokens, so the user will be signed out automatically. but the user can still login again but a new refresh token will be generated.

    When a user's ID token is to be verified, the additional checkRevoked boolean flag has to be passed to verifyIdToken. If the user's token is revoked, the user should be signed out on the client or asked to reauthenticate using reauthentication APIs provided by the Firebase Authentication client SDKs. source

    2 this is the intended behaviour, please check this GITHUB Closed issue

    3 Firebase will warn you against this but you should allow creation of multiple accounts with the same email address enter image description here