3

I have created a web application that uses the Google+ Sign In API but have come across a problem with the automatic sign in behaviour.

I am not sure if I have implemented it correctly, here's the problem:

  • User signs into my application using their Google+ Sign In details.
  • Now they are signed into my app but also their Google account.
  • When they are finished, they sign out of my app, but remain signed into Google.
  • Now suppose a different user (using same machine/browser) visits my site, they are automatically signed in using the previous users details.

I understand that is bad practice and to avoid either a) signing the user out of their Google account when they leave my site or b) disabling the automatic behaviour of the Google+ Sign in.

So how can I prevent this behaviour?

bluish
  • 26,356
  • 27
  • 122
  • 180
veritas1
  • 8,740
  • 6
  • 27
  • 37
  • 1
    possible duplicate of [Preventing automatic sign-in when using Google+ Sign-In](http://stackoverflow.com/questions/15484533/preventing-automatic-sign-in-when-using-google-sign-in) – Ravindra Gullapalli Jan 01 '15 at 20:14

3 Answers3

1

After a user has authorized your application, the Google+ Sign-In button automatically tells your application who they are. If the user wants to use your site with with a different account, then they need to sign out of Google and sign in as a different user.

It sounds like you want the signed-in state between the user and your site to be different than the user's signed-in state with Google. In order to accomplish this you will need to manage your own session state. In other words, the button will always fire the JavaScript callback if the user has authorized your app. You, the developer, have the option of ignoring that information until the user has clicked the sign-in button. Some developers do this by attaching a click event handler to the button.

Chris Cartland
  • 3,058
  • 2
  • 17
  • 14
  • Thanks for your response. I don't really want to disable the automatic sign in (I don't have multiple social logins like facebook and twitter) so it's not a problem in that respect. I just felt that it could be a possible security issue if someone was using a public computer. But I guess it comes down the individual to realize their Google signed in state, and take precautions like unchecking the "stay signed in" box. – veritas1 Apr 16 '13 at 10:28
  • If you give someone access to your computer, you should sign out of Google. Giving someone access to your signed in browser is a security issue, not just for your app, but for the entire Google account. – Chris Cartland Apr 16 '13 at 15:08
  • @ChrisCartland I have pretty much the same question, but in the context of Google OAuth2 (not Sign-In) and I'm using python/flask to implement it. I'm a beginner and I'm unsure how to port your answer to my specific context. I'd highly appreciate it if you could take a look at my question here: https://stackoverflow.com/questions/47150564/how-to-log-user-out-of-an-app-that-uses-google-oauth2-sign-in – kranberry Nov 07 '17 at 05:30
0

Refer to the answer in the below question. It is very similar to your scenario

Preventing automatic sign-in when using Google+ Sign-In

But even in that proposed solution the google+ account will still be logged in. Another step you could do is add a prompt asking the user to logout of the google+ account or you could call the google+ logout api ( did not check if there is one ) on behalf of the user.

Community
  • 1
  • 1
mzafer
  • 791
  • 7
  • 21
0

I had this issue as well. You need to sign out of the gmail account as soon you get the email id from gmail auth:

<script src="https://apis.google.com/js/platform.js?onload=renderButton" async defer></script>
<script>

function onSuccessG(googleUser) {
        var profile = googleUser.getBasicProfile();
        console.log('ID: ' + profile.getId()); // Do not send to your backend! Use an ID token instead.
        console.log('Name: ' + profile.getName());
        console.log('Image URL: ' + profile.getImageUrl());
        console.log('Email: ' + profile.getEmail());
        //now here write a code of login//
        //
        //now here write a code of login//

       signOut();//call sign out function which will sign out user from their gmail accont

}
function onFailureG(error) {
    console.log(error);
}
function renderButton() {
  gapi.signin2.render('my-signin2', {
    'scope': 'https://www.googleapis.com/auth/plus.login',
    'width': 323,
    'height': 35,
    'longtitle': true,
    'theme': 'dark',
    'onsuccess': onSuccessG,
    'onfailure': onFailureG
  });
}
function signOut() {
    var auth2 = gapi.auth2.getAuthInstance();
    auth2.signOut().then(function () {
        console.log('User signed out.');
    });
}

Parker
  • 7,244
  • 12
  • 70
  • 92
Amin Kodaganur
  • 646
  • 6
  • 19