Sign out doesn't sign the user out of google apps
Closed this issue · 5 comments
This seems to be an issue with "auth2", but this library is the best place I can find to bring up the issue.
if you go to the demo you have here: https://googlewebcomponents.github.io/google-signin/components/google-signin/ in an incognito window, sign in once, and then sign out. the next time you sign in, the pop up will display briefly, but log you in as whatever previous user you logged in as.
i believe this happens because when you sign in the first time, you're signed into any google site you visit, but signing out seems to only sign the user out of the current window.gapi.auth2.getAuthInstance.
this is concerning because a user can log into your site and hit log out, but not realize that they need to log out of a google app to actually have the session removed from the computer. it also causes an issue when trying to switch accounts.
am i missing something? is there a better place to bring this up?
I see your point. Signout should undo effects of signin
- if you were signed in to Google before signin, signout revokes app access, but keeps Google signin
- if you were not signed in to Google, signout signs out completely
This question is better answered by someone working on oauth2.
@ebidel any suggestions on who can elaborate on what the right thing to do here is?
I've opened a discussion more about this internally. This is working as intended for now.
Trying to undo the effects of signin would be a pretty hairy situations since the app is not always being used in isolation. Ex: you may start at abc.com and sign in there, but then continue on to use gmail or calendar. Then you sign out of abc and suddenly you have to re-login on gmail? That can be a very bad experience for the users.
@Zoramite how do apps implement logout. cause even if i logout the user from my app, and next time redirect him to google for signin, google doesn't show the signin page, instead it does a immediate redirect. As an effect the user doesn't get to undo his consent when he logs out of the app. I would expect that after logout the user shld see the permissions that app is requesting at the time of next login
By default, Google auth remembers granted permissions. This keeps number of security prompts to a minimum. You can request that all permissions be revoked when signing out by calling disconnect.
See Google Auth documentation for more information: https://developers.google.com/identity/sign-in/web/disconnect