2

I've implemented Google OAuth2 on my PHP website, and login works fine. But after logging out, users no longer need to enter the password for their Google account; they can just click their Google account on the list that comes up, and they're back in. Isn't that a security risk?

This is a basic PHP 7.4 setup with google-api-php-client version 2.2.2.

I log out users with

unset($_SESSION["access_token"]);
$gClient->revokeToken();
session_destroy();

since I store the access token in a session variable.

I would expect the login process - enter google acount name - next - enter password - next - to be the same whether you log in for the first time or for subsequent logins. But you're not promted for password after the first time.

I tried including a hidden iframe containing the google logout page, like so:

<iframe id="logoutframe" src="https://accounts.google.com/logout" style="display: none"></iframe>

but that logged me out entirely - also on other websites in other browser tabs, and I find that quite inconvenient.

asked May 3, 2019 at 8:37

1 Answer 1

3

You're already authenticated with Google, hence why you don't have to re-enter the password.

Forcing the logout - as you achieved with the iframe - caused you to log out of your Google account which led to the inconvenience you encountered.

Once your application is given access to your Google account, and you have an active Google authentication state, you won't be prompted for a password. This is how OAuth2 works and is by design.

answered May 3, 2019 at 8:50
Sign up to request clarification or add additional context in comments.

4 Comments

That's not how Gmail works. If I take a fresh browser, go to gmail.com, enter my username, enter my password, is logged in, choose "Log out" from the dropdown, is logged out, and go there again, I still have to enter my password again. I just tried it.
Assuming you mean the icon top-right in Gmail, you're actually logging out of your Google Account, not just the Gmail application (the link for that button is accounts.google.com/logout)
I see. Hm. Interesting. So basically what you're saying is that the fact that users can re-login without entering a password should not be considered a security risk?
No its not a security risk, the same way as you don't log into your Gmail account each time you use your browser. It's one of the benefits of OAuth2. OAuth2 has the concept of revoking access, which you would be able to do through your Google Account (myaccount.google.com/u/0/permissions). You should see your app in this list. If you remove it, you'll lose access in your app (and it'll prompt you to link to your account again).

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.