2

I am working on a SPA which relies on Google's sign in javascript library to authenticate users. A user filed a bug report that the app had leaked her Google email account when she demonstrated our product on a shared computer.

I've noticed that other websites suffer the same symptoms, so my example case will use medium.com.

To reproduce:

  1. Visit a public computer at your local library.
  2. Open Chrome
  3. Browse to mail.google.com and see that no user is logged in.
  4. Go to medium.com and log in with a Google account.
  5. Log out of medium.com
  6. Here is where log-in and log-out symmetry ends. You should be able to leave at this point.
  7. Visit mail.google.com again. See that you are automatically logged in.

It appears that authenticating with a 3rd party website also logs into Google's ecosystem, and then the account is left active after logging out of the 3rd party website.

Is there a method of authenticating a user via a Google account that does not include this side effect?

ctag
  • 574
  • 2
  • 4
  • 15
  • Wow! I can reproduce this while browsing in incognito mode. That's extremely concerning, actually. – S.V. Aug 25 '18 at 17:38
  • 1
    [Here](https://stackoverflow.com/a/12909563/2375907) Is a pretty solid explanation of the situation, perhaps this interests you. – S.V. Aug 25 '18 at 17:46
  • If the "log out" button on your website also logged me out of google, I would be pretty upset… – Josh Lee Aug 27 '18 at 19:45
  • When using public computers, always browse chrome in guest mode or use incognito mode. More info here https://support.google.com/chrome/answer/6130773?hl=en-GB. This way, when you close chrome, you are logged out of google as well. – Rajeev Desai Sep 05 '18 at 05:32
  • Similar, if not the same issue on y-combinator: https://news.ycombinator.com/item?id=17942252 – ctag Sep 09 '18 at 05:28

1 Answers1

1

The user is signing into Google and the website

When a user uses OAuth (via Google) it redirects them to Google's OAuth page with some data along the lines of...

Hey Google, this person called Foo Bar is claiming to be foobar@gmail.com. Is that right?

Then Google will either respond with "Yes" if you are logged in or with...

Hold on a sec mate, they're not logged in -- I'll give them a login screen to check for you

The user will then log into Google and NOT your site. If the login succeeds, Google will redirect the user back to your site with relevant information (like name, date of brith, email, etc.).

All done now mate! Foo Bar IS foobar@gmail.com! Here are his details: [insert user info here]

The user has now logged into Google AND your app.

When the user signs out of your app, they stay signed into Google which produces the result you are talking about. There are ways to automatically sign out of Google (which are detailed in the link below) but I would definitely not recommend them as the user may have Gmail open in another tab and you'd most likely disrupt their workflow. You might even worry them. (I would if I was logged out of Google for no reason!)

Source

  • 1
    Thank you for the explanation. I agree that logging a user out of their entire Google account is the wrong solution, so I have updated the question to focus on not creating the unexpected log-in to begin with. – ctag Aug 27 '18 at 19:35