Revoking Google Identity (Sign in with Google version 2022) in Server Side

Question

Background

Google is kicking people out of Google Sign-in JavaScript library (platform.js) and pushing people to migration Sign In With Google by Google Identity Services library (gsi/client). (Migration Guide)

Anyone must go through this migration by March 2023. The new flows are cool (e.g. One-tap) and should make life easier.

Problem

In the new flow, Authentication and Authorization are separated! If you just need basic scopes (e.g. email, basic profile), then Authentication should be enough.

With that, you get an ID Token (a JWT) that you can verify on server-side.

The problem is, revoking this token (as listed in Revocation Methods) can only be done either manually by the user in their own Google Account, or it should be done on client-side. No server-side option is present.

The Case

Our platform supports sign in with Google, Apple, and email/password.
The same user uses Google Sign In on Web and Apple Sign In on their iPhone. (same email address.)
Per the forces of Apple, since June 30, 2022, we should provide a delete account option.
User signs in with Apple Sign In to our platform and requests deleting their account.
We can (and must, again per Apple) revoke Sign In with Apple by calling Apple's Server-to-Server Revoke Tokens endpoint. But Google doesn't provide such an option for ID-Token. :(

Any idea how to solve this?

score 1 · Answer 1 · answered Aug 29 '22 at 17:47

Current alternatives

1) Use Authorization and store access_token and refresh_token

(Per Google Identity > OAuth 2.0 > Server-side Web Apps > Revoking a token) OAuth revoke takes an access token or refresh token.

The old gapi library of Google Sign In for Web, was granting access token on sign in. The new one doesn't. So we have to explicitly ask for an access token via Authorization flows, and store it/refresh-token in the DB and maintain it. That's overkill, but works.

2) Do it in client-side and cover the most, not all

It can be done on the client-side when the request for delete-account is sent to the server. However, it only covers signed-in-with-Google users. This means that the mentioned use case (signed in with Apple) wouldn't be covered. But, hey, it's a cheap and fast solution!