We are using google oauth2 permitting users to use their existing google accounts to log in to our system.
After being authenticated what is the proper way to manage active user session in our app for ex.
Let's suppose the user has logged in to our system with google account A. Then user logs out/changes google account to account B but not within our app but rather from its gmail. Should we also log him out him from our app???
(which seems to me bizarre and impossible as soon as there should be google API to check that the given user at the given time is logged in to google services).
The only way which seems to me reasonable is to invalidate user session after given timeout and only then we could make user re-pass oauth2 authorization flow.
Thanks in advance for your help.
The access_token or id_token your acquire from the Google OAuth2 Login flow is not coupled with the login sessions in the various Google apps (gmail, plus, ....).
There's no way for your app to know that the the user logged out of his gmail. Your app shouldn't care.
If your web app makes it clear to the user what account has been used to login initially (by displaying a username/picture or other info retrieved from the Google User Info call you should be ok.
Most users will not try to link your web application session with a gmail session for example.
Related
TLDR: I've been struggling with the new Sign in with Google functionality and especially the part how I can let the user stay signed in. What I understand from the docs is that Google only tells "this is a user who would like to sign in" but basically I would still need to create my own backend to track that user.
Note this question is about the new Sign in with Google functionality, all the guides/questions I can seem to find are about legacy sign-in and this is quite well described here:
https://developers.google.com/identity/sign-in/web/server-side-flow
What confuses me most is basically already stated in the beginning of the guide:
https://developers.google.com/identity/gsi/web/guides/overview?hl=en#user_sign-in_to_your_site
You'll manage per user session state for sign-in to your site.
User sign-in status to their Google Account and your app are independent of each other, except during the sign-in moment itself when you know that the user has successfully authenticated and is signed into their Google Account. Users may remain signed-in, sign-out, or switch to a different Google Account while maintaining an active, signed-in session on your website.
I understand the basic principle behind OAuth and the part where you have to exchange the authorization code for an access token and you can verify this access token (which is perfectly described in the legacy guide), but this is now only required for OAuth2 in order to access personal data. If I understand correctly this access token can be used as an identifier for a specific session (as alternative to a password or session cookie).
With the new sign in policy you will only get a JWT which identifies the user. Also apparently the only way to get a JWT is as a response when the user clicks the Sign in with Google button and selects the account in the consent screen (which ideally should only occur once).
What I actually want to achieve is that when a user enters the site I want to send a request "Hey Google this user is visiting my site, do you recognize this session and is it still valid".
Maybe I'm thinking way too difficult, but what I just don't understand is how can the new Google Login actually help me remember and validate users?
After some more digging around I found a lead on this page: https://developers.google.com/identity/gsi/web/guides/migration#object_migration_reference_for_user_sign-in
Basically what I am looking for was provided by the depreciated GoogleAuth.isSignedIn.get() function, but the notes clearly show:
Remove. A user's current sign-in status on Google is unavailable. Users must be signed-in to Google for consent and sign-in moments.
Combined with the prior statement:
You'll manage per user session state for sign-in to your site.
To validate the assumption I did some testing with other web services where I logged in using Google, revoked the log-in access for that website from the Google console and when revisiting that website I was still logged in to the website.
My conclusion:
Google login only verifies the initial login
Google basically responds with "Yes this is a valid user"
I have to keep track of the user session using cookies/databases myself
I have a google login in my app when I try to click on sign in with google I do not see the permission it needs to access
My app uses users contacts and so I have added it to scope in consent screen settings but it do not show any permission. Can someone help me if there is anything else that needs to be configured as I need to verify my app from google
I want permission to display like this(sample image)
Scopes that I am using
this is the api
Lets use the Google Oauth Playground to test a little.
test 1 requesting authorization to Oauth2 scopes.
I am going to select Google contacts really there is not much point in selecting this one using google People api is a much better choice.
And everything under Google People API
This is the consent screen shown me
test two authenticating with open id connect
I am going to only request
Now profile and email are special they are related to Open Id connect, which is out side of the Oauth2 because of that i was not actually shown a consent screen. Because i am Authenticating to Google that this is me logging in.
I am not Authorizing any Oauth2 scopes because none were really requested. Now this make confuse you because by requesting profile you are automatically given access to the users profile data which means that you can access the Google people api and do people/me and get the information about the person.
conclusion
Only Oauth2 scopes appear to the user requesting access. not open id scopes.
After user being logged in with Google OAuth - is it possible to check if later user get logged out from Google?
Scenario:
User logged in in Google
User logged in on mysite.com using Google OAuth, and login state stored in session for 1 year.
User logged out from Google, but forgot to log out from mysite.com
After one week someone stoled user's laptop. Thief won't be able to use Google but will be able to re-use logged in user session on mysite.com
I wonder what are the ways to prevent such situation?
I don't want to put this burden on user - log out him from mysite.com and ask to log in again every day.
Would like instead use something automatic like:
When you logged in with Google OAuth you get some sort of ID
Every day you validate that that original session is still active, by calling something like
google.com/api/is-original-session-still-active?id=ID
Note: I suspect that you have your terminology incorrect i suspect you are using Openid connect and not OAuth2 to sign-in your users. However i will answer this question based upon Oauth2 as that's what you say you are using.
Oauth2
Oauth2 is used to grant an application access to a users data. When using an oauth2 token you are acting on behalf of the user. There is in fact no user interaction when using Oauth2 tokens.
If a user consents to your application accessing their data you will get an access token and a refresh token. Access tokens are good for an hour. Refresh tokens are long lived and will give you access to a users data for as long as the user doesnt remove your consent and that you use it at least every six months.
As Oauth2 is without user interaction there is no way to use it to see if a user is logged into their account. There is actually no Google api that would give you this information. This would IMO be considered privet user information and not something that google should be sharing with third party applications.
Suggestions
You may want to consider some changes to your application.
implement logout everywhere. If the user changes their password then all of the devices they have logged in should automatically need to be re-authenticated.
Your sessions should be good for only a week or two and you should enable sliding.
Tell your users to remove the consent of your application to their data this will also force them to have to relogin.
Specifically to know about user account security events that could impact users of your app if your app is using Sign In With Google, consider registering your app to receive events for Cross Account Protection.
I am trying to achieve the following:
an authenticated user uploads a video on my web application
my web app stores the video, logs it in our database etc. then connects to a Google account and makes a request to upload the video to a Youtube channel within that google account
I've created the Google account, enabled the youtube API, configured OAuth 2.0 access etc, but I'm not sure that any of the documented workflows meet my requirements. (For example I don't want any user interaction as part of the authentication process).
It looks like a Service Account ( https://developers.google.com/accounts/docs/OAuth2ServiceAccount ) is what I need, however these accounts dont appear to support all Google APIs, or at least not youtube.
Does anyone have any advice / has anyone implemented something similar?
When you say ... "For example I don't want any user interaction as part of the authentication process", how will that work.
The user might not be logged in to Google, or might be logged in to multiple accounts so will have to choose which account to use for your app. So the potential for user interaction is unavoidable.
Once the user has authorised your app, logged on to your app (ie. accessed it and you've stored his user id in the session), then future accesses will be devoid of user interaction; at least until he logs off.
The difference between service accounts and user accounts is not the auth flow. The difference is that with a user account, the API access is by the user via your app (so the video will be "owned" by the user. With a service account, your app IS the user (so the video will be owned by you).
I'm not saying that Service Account is wrong for you, just that your reason for going that way is not quite right.
I have visited many sites where i log in using my google account using oAuth but i have never come into a site and have it automatically log me in into my google account.
Some sites will auto log in to their systems account but never googles oAuth login.
is this possible?
also would this be possible with the twitter or facebook authentications?
I've been reading that it can be done using Cookies.
Just set a cookie with some parameters (eg the google ID and emailadres) and when a visitor returns you can read and use those values to log them in, not even redirecting them to Google.
However I'm not recommending this because of a potential security hazzard!