Users can log into my site using Google Identity, via the Open ID protocol. However I'm not sure how to invalidate their session with google identity when they click log out. At the moment, I can invalidate their session cookies on my site, but if the user selects to log in with Google Identity again, it won't prompt them for credentials again, because they already logged in. Options I've tried to resolve this:
The end_session_endpoint from the Session Management spec, but Google Identity doesn't implement that.
The frontchannel_logout_uri from the FrontChannel Logout spec, but Google Identity doesn't implement that either.
The backchannel_logout_uri from the BackChannel Logout spec, but Google Identity doesn't implement that either.
Hitting https://www.google.com/accounts/Logout in an iframe when the user logs out, but this terminates their Google login everywhere, not just my site.
Is there a supported way of invalidating Open ID sessions for Google Identity?
Related
I need to login to Auth0 without login prompt on my intranet under certain circumstances.
I have a very particular use-case, where I have created a very special user in auth0 called "analytics" which has access to some of our analytics in Tableau.
I created it, so I know the login password and can create refresh tokens with unlimited life.
I had to create this user in auth0 and have it managed by auth0 because that's how our company access Tableau and I can't change this policy.
In another web application, which doesn't use Auth0 at all and has its own authentication methods, I need some users to have access to the ressources that the "analytics" user can access. (there also, no way to change this web application to use Auth0, because that's another company policy and I can't change it)
To achieve this, I have no choice but to allow all logged in users of the web application to be also automatically logged in as "analytics" in auth0.
Since this is an intranet, it is perfectly ok to hardcode a refresh token or login password. Also there's nothing too confidential about the analytics in question.
I know how to use the refresh token to call an API, but I don't know how to use it to "login" the user, e.g. his browser has the right cookie so auth0 knows that his browser is indeed him.
Is there any way to achieve this ?
I don't understand very well the OAuth 2.0 protocol, hence my question.
We have a system that is using its own authentication system and I need to make it use our Google Workspace accounts to integrate with Google SSO so that when the user gives their credentials to the webpage, it will be authenticated in both google account and on our web app account.
Google default workflow redirects the user to its own form, so we have the problem of the password not being passed to our server.
Crossed my mind the fact that this would be too insecure to exist, but remember that all users that would log in to our website would have an account created in a workplace totally managed by us.
how could I auth the user this way?
Why not use "Sign-in with Google" -> OpenID Connect to access to the website. That way it will authenticate with Google.
Or add the website as a custom SAML application in the Admin console, and use Google as the IDP since the users will be provided by your organization.
Context:
I am implementing a Single-Page-Application using Auth0's implementation of OpenID Connect Single Sign-On with Google as my identity provider.
Browser is Chrome v59
auth0.logout() below refers to the auth0-js library which is included in my app as a dependency of the auth0-lock library. My webpack config is pinning auth0-lock to v10.18.0.
Problem:
When logging out, if the user doesn't want to be logged out of their Google sign-in session, I execute this code:
auth0js.logout({
returnTo: "http://localhost:8080"
});
This works fine, logs the user out of their Auth0 sign-in session, redirects the browser to localhost and the Google sign-in is left intact (user can re-authenticate with my app using Google creds without having to enter login details).
If the user explicitly indicates they also want to be logged out of their Google sign-in session as well, I execute this code:
auth0js.logout({
returnTo: "http://localhost:8080",
federated: true
});
The "sign out" part of this works, the user will be logged out of both the Auth0 and Google sign-in sessions. But the browser ends up being redirected to the Google account page (where google will ask them for their credentials, since they were signed out of their Google session).
Question:
Can anyone provide an idea on how I can force the Google-logout flow redirect back to my app instead of the Google account page? Or is this something that Google is doing on purpose (i.e. there is no way to get Google federated sign-out to redirect to my app)?
Unfortunately, the returnTo URL available for some connection types is not available for Google social connections.
My ASP.NET MVC system don't use ASP.NET Identity, so i went with full custom IPrincipal implementation. I have to use Google OAuth to authenticate on Google then do my own business on my external login callback.
The problem is that, after the user insert Google's e-mail and password ans successful login, in my external login callback, my application just won't get the user Claims from HttpContext.OwinContext().Authentication. Claims are empty and I only need user's e-mail.
This is my Startup.Auth.cs
There's no e-mail after login.
Assuming there's no bug in Google's OAuth, what did i do wrong?
One more thing: Sometimes (testing on other computers) the claims are returned to me with user's mail and some other data. But when i try to log with many different mails, they stop working too.
Below is my Google API config, i have enabled Google+ API, but that doesn't seem to make a difference.
EDIT
Sometimes it works on Chrome's anonymous navigation.
Use async await method for google api auth like in google doc
https://developers.google.com/api-client-library/dotnet/guide/aaa_oauth
I am trying to support "Hybrid" Federated Login and oAuth2 (using logic from this document) for a webservice which will:
support Sign in using your Google account on my site. That is, from the documentation: You can also choose to use Google's authentication system as a way to outsource user authentication for your application. This can remove the need to create, maintain, and secure a username and password store.
Access the user's Google Analytics.
Here are the steps I have done.
I form my request to https://accounts.google.com/o/oauth2/auth with the scopes (Google Analytics) I want access to.
I Get redirected to google where it has my icon and which scopes I am requesting access to. I grant access.
I get redirected back to the callback page.
I get the tokens (access and refresh), as well as a huge id_token string (which I don't know) and store all of this information in my database.
I then make a call to https://www.googleapis.com/oauth2/v1/userinfo?access_token=xxxyyyzzz to get the user's email and name and store this information in my database too. I also notice it returns a id field which to my knowledge never changes and I presume is some sort of unique identifier. I store this too.
Question: If I go to Authorized Access to your Google Account section in my Google account, it shows that my site has access to "Google Analytics. BUT, it does not say Sign in using your Google account. This is what I am trying to accomplish. I would have thought using the logic would enable Sign in using your Google account. What am I doing wrong? And what would be the applicable call to google so that users can sign in to my site?
If your site has access to something like your Contacts or Analytics using OAuth, you'll never see "Sign in using your Google account". I'm pretty sure that's only if you use OpenID (not OAuth) only for sign-in.
Specifically, OAuth is used for giving you access to APIs to create/update/delete data, while OpenID is for signing in.
If you are asking how to identify user for future logins, you have two options:
Mix OAuth with OpenID, that is called Hybrid. I have described it on this answer.
Use userinfo scope and request userinfo (email, etc.) after successful OAuth authorization. It is described on Google OAuth 2 documentation.
If you mean automatically login to your web site in future visits you can use OpenID "immediate mode" (openid.mode parameter).
When the user is redirected back, you call the second request from your own (server-side?) code, and get their email address. When you successfully get it, that means that the user is logged on. You can add it to the session (e.g. as cookie), and as long as you have it, the user is logged on. You make the user log out by forgetting the email address, so by clearing the session/cookies.
Add this paramter to the https://accounts.google.com/o/oauth2/auth URL call: approval_prompt=force and then the Sign in using your Google account will always show regardless of whether the user was already signed into that or any other account.
So the call would be like this https://accounts.google.com/o/oauth2/auth?client_id=<client id>&redirect_uri=<uri>&scope=<scope>&access_type=<online or offline>&response_type=code&approval_prompt=force