0
  • I'm writing an app that uses Google API to authenticate with G+ account in our app.
  • Currently the customer wants on logging out not only revoke access token for our application but also log out from Google Account used to authenticate.

The solution I've come with was:

/**
 * Signs the user out.
 */
HeaderCtrl.prototype.signOut = function() {

  // this part revokes token
  $http.jsonp('https://accounts.google.com/o/oauth2/revoke?token=' +
      accessToken, {
        params: {
          callback: 'JSON_CALLBACK',
          format: 'json'
        }
      }).success( /* Do stuff on success */);

  // this part logs out from google account
  $http.jsonp('https://accounts.google.com/logout');
};

The second call works but logs an error on response processing:

Refused to execute script from 'https://accounts.google.com/logout' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.

What ways to log out from Google account using AngularJS would you use?

Herring
  • 173
  • 1
  • 10

2 Answers2

2

you should not log out your users from Google, they certainly don't want it anyway. Thus, https://accounts.google.com/logout should never be reached.

What you actually want is to make them log out from your website. Revoking the token should be enough for Google authentication's side (your website won't assume the client is logged from to his old token)

Once signOut method is called, just consider he isn't logged any more and end the session in your website.

ngasull
  • 4,206
  • 1
  • 22
  • 36
  • I would agree with that, unfortunately could not convince the customer who still wants to log out the user from Google Account as well. – Herring Dec 03 '14 at 17:49
  • Maybe you can display a link to Google's logout page? Anyway you may not be able to dynamically logout of Google from your website because the logout page will have to be open in order to check cookies/local data. I think the solution is to explain your customer that it would be a security breach if browsers allowed this cross-site request. – ngasull Dec 04 '14 at 14:30
  • I'm actually able to log out as I wrote in the post. Its just that I see the error message - that bothers me. – Herring Dec 05 '14 at 01:00
2

I think you are tring to do many things that are not related to a "normal logout" experience.

Maybe you should talk to your "customer" to clarify the user stories he/she wants.

A normal logout is one line of js (source) : 

gapi.auth.signOut();

If I'm not wrong, what you are doing first in your code (ie revoking the access token), is something that provides an option to remove the association between the account on your app and the google account used for sign-in. As indicated on the link, you must provide this option to the user to follow the g+ developer policies but it's not the same as signing out. Maybe you should try, as a user, these two feature on a site providing a g+ sign-in, such as stack overflow. (Be sure to know your password before revoking the g+ association.)

And for the log out of Google, your app should not do it, and Google should not provide you a way to do it. (And I'd rather think that it's impossible.)

However you can kindly remind your user, after log out, that he/she may need to log out from Google too. Try to log out from stack overflow and look at what happens.

dotpush
  • 428
  • 3
  • 14
  • You're right about the access revoking working similar as gapi.auth.signOut();, so I would probably switch to that as it looks more neat. Unfortunately the customer insists on Google account sign out... – Herring Dec 03 '14 at 18:22
  • If you can talk to your customer, maybe you should try something like "Do you have an example of public website that uses g+ signin the way you want?". Then after looking at the site either you find the way to do it or you tell to your customer that the site doesn't do it and that it may be impossible. – dotpush Dec 03 '14 at 18:31
  • Update: looks like gapi.auth.signOut() does not revoke the access tokens. This is not what I'm looking for. – Herring Dec 03 '14 at 18:38
  • If you really want to revoke access token on logout, your "logout" feature will be a bit special... It's like telling "forget that this g+ account is associated to the app account and can be used to login into the app". – dotpush Dec 04 '14 at 18:08