iOS - Google Sign in - Revoked IDToken remains active until the token expire

[KristofGPST]

I'm using - GoogleSignIn (7.1.0) framework in my iOS application and I can see that the token seems valid until the expiration date is reached. I use the accepted approach as called has Previos Sign In and calling restorePrevios Sign in, but the received user object still contains the user's data. I have tried Apple and Facebook login, but both of them revoked the access as soon as the Application permission was revoked, only Google keep sending it.

The code snippet, I used: (if GIDSignIn.sharedInstance.hasPreviousSignIn() { GIDSignIn.sharedInstance.restorePreviousSignIn { user, error in) } })

I have also tried calling https://oauth2.googleapis.com/tokeninfo?id_token=(idToken) which responded 200 after 15 minutes of the permission revoke, so it looks like the token is fully valid until the expiration data

It's important for us that the user can still access his account for some time and will be deleted in about 2 hours after the token creation, which is super annoying. I have attached a screenshot about the GIDGoogleUser, which contains all the data, it was about 5 minutes after the permission revoke.

[brnnmrls]

Hey! Thanks for catching this, I was able to recreate it on my end. I'll bring this up to my team to clarify the expected flow and determine next steps from there.

Feel free to submit a PR as we might not be able to get to it immediately.