In firebase authentication, is there a way to remove a custom claim?

Asked 9/1, 2018 at 19:35 Answered 30/11, 2020 at 21:51

Solved javascript firebase firebase-authentication firebase-admin

In order to set a custom claim, one uses:

admin.auth().setCustomUserClaims(uid,{claim:value});

There does exist

admin.auth().updateUser(uid,{claim:value});

...but I'm not exactly clear on how the two are different, and neither one seems to get at actually removing a previously applied custom claim.

Melitamelitopol answered 9/1, 2018 at 19:35 Comment(0)

From the documentation:

You can delete a user's custom claims by passing null for customClaims.

So this should delete the claim:

admin.auth().updateUser(uid, {claim: null});

As others have pointed out the API has changed and the current way to set custom claims from Node.js is:


getAuth()
  .setCustomUserClaims(uid, { admin: true })
  .then(() => {
    // The new custom claims will propagate to the user's ID token the
    // next time a new one is issued.
  });

Check the linked documentation for more code samples, that are also more likely to be up to date than anything I type here. :)

Robespierre answered 9/1, 2018 at 19:40 Comment(7)

That was fast! Jen Person was right, you're the king of firebase stackoverflowage. Thanks! – Melitamelitopol 9/1, 2018 at 19:52

You're welcome. In this case my work wasn't much more than opening the linked page about custom claims, search for remove (which gave no relevant hits) and then delete. – Robespierre 9/1, 2018 at 19:55

Using the latest admin SDK, I had to use admin.auth().setCustomUserClaims(user.uid, null); – Finsen 24/4, 2020 at 9:28

@FrankvanPuffelen what if just one of many claims need to be removed? full read and then write? – Stipend 26/6, 2020 at 3:34

Yup, there is no API to just send just the update, so read, modify in memory, write is the process. – Robespierre 26/6, 2020 at 4:27

@FrankvanPuffelen Your answer should be update to use setCustomUserClaims. – Alveraalverez 20/9, 2023 at 8:18

This doesn't seem to work for Admin SDK. javascript // This fails with `INVALID_CLAIMS` return { customClaims: null, } – Dichlorodifluoromethane 20/2 at 10:24

@FrankvanPuffelen's answer no doubt was the correct one at the time he answered it, however, as it stands today (Nov 30, 2020) the 2nd parameter of the updateUser method, called properties, is an UpdateRequest interface that has no claim property.

Setting custom claims has now been moved to the setCustomUserClaims method.

You set them by doing...

admin.auth().setCustomUserClaims(uid, { admin: true });

...and the only way you can remove one is by setting the whole object to null. There seems to be no way to selectively remove one claim if there are multiple.

admin.auth().setCustomUserClaims(uid, null);

Recurvate answered 30/11, 2020 at 21:51 Comment(0)

I don't think you can use updateUser for this, I think you still need to call

admin.auth().setCustomUserClaims(uid, {claim:null});

Tayler answered 26/1, 2020 at 1:23 Comment(2)

this sets claim attribute to null but doesn't seem to remove it – Stipend 26/6, 2020 at 3:35

@Stipend I think (though I only recently started using firebase) the old way was to use updateUser and the claim property appears to have been used to set custom claims, but that seems to have changed now and indeed, the new way is to use setCustomUserClaims, however, in latter case the claim property is not needed anymore, setting claim: null actually sets a custom claim called claim to have the value null instead. – Recurvate 30/11, 2020 at 21:36

Recommended topics

Hot tags