verifyIdToken method

Future<DecodedIdToken> verifyIdToken(
  1. String idToken, {
  2. bool checkRevoked = false,
})
inherited

Verifies a Firebase ID token (JWT). If the token is valid, the promise is fulfilled with the token's decoded claims; otherwise, the promise is rejected.

If checkRevoked is set to true, first verifies whether the corresponding user is disabled. If yes, an auth/user-disabled error is thrown. If no, verifies if the session corresponding to the ID token was revoked. If the corresponding user's session was invalidated, an auth/id-token-revoked error is thrown. If not specified the check is not applied.

See https://firebase.google.com/docs/auth/admin/verify-id-tokens for code samples and detailed documentation.

  • checkRevoked - Whether to check if the ID token was revoked. This requires an extra request to the Firebase Auth backend to check the tokensValidAfterTime time for the corresponding user. When not specified, this additional check is not applied.

Implementation

Future<DecodedIdToken> verifyIdToken(
  String idToken, {
  bool checkRevoked = false,
}) async {
  final isEmulator = app.isUsingEmulator;
  final decodedIdToken = await _idTokenVerifier.verifyJWT(
    idToken,
    isEmulator: isEmulator,
  );
  // Whether to check if the token was revoked.
  if (checkRevoked || isEmulator) {
    return _verifyDecodedJWTNotRevokedOrDisabled(
      decodedIdToken,
      AuthClientErrorCode.idTokenRevoked,
    );
  }
  return decodedIdToken;
}