CODEWITHSUNDEEP
google-chrome-app
jakabadambalazs
jakabadambalazs

Reputation: 567

Google packaged app - identity API - removeCachedAuthToken

[google chrome 28] I am using chrome.experimental.identity API in a packaged app and getAuthToken works fine - get's token with which I can get user info, etc. I understand that the identity API is moving out from being experimental to the trunk so as from chrome 29 I will be able to use chrome.identity and remove "experimental" permission from my manifest.

Q: If I want to make a logout button is removeCachedAuthToken the way to go about it? I tried to use it in the experimental.identity but it does nothing.

Upvotes: 4

Views: 2480

Answers (3)

Ohhh
Ohhh

Reputation: 676

I too struggled with this but I eventually discovered this solution buried in the Chrome App Samples. https://github.com/GoogleChrome/chrome-app-samples/blob/master/gapi-chrome-apps-lib/gapi-chrome-apps.js

removeCachedAuthToken removes it locally, but to revoke the token from Google servers you needs to send a request, hence the second part: xhr.open('GET', 'https://accounts.google.com/o/oauth2/revoke?token=' + current_token);

Try this:

function revokeToken() {
    chrome.identity.getAuthToken({ interactive: false }, 
      function (current_token) {
        if (!chrome.runtime.lastError) {
            // @corecode_begin removeAndRevokeAuthToken
            // @corecode_begin removeCachedAuthToken
            // Remove the local cached token
            chrome.identity.removeCachedAuthToken({token: current_token}, function(){});
            // @corecode_end removeCachedAuthToken

            // Make a request to revoke token in the server
            var xhr = new XMLHttpRequest();
            xhr.open("GET", "https://accounts.google.com/o/oauth2/revoke?token=" + 
            current_token);
            xhr.send();
            // @corecode_end removeAndRevokeAuthToken

            // Update the user interface accordingly

            $("#revoke").get(0).disabled = true;
            console.log("Token revoked and removed from cache. " + 
              "Check chrome://identity-internals to confirm.");
        }
    });
}

Upvotes: 1

sumit10
sumit10

Reputation: 96

To revoke token use this function from google sample app.

function revokeToken() {
    user_info_div.innerHTML = "";
    chrome.identity.getAuthToken({ interactive: false }, 
      function (current_token) {
        if (!chrome.runtime.lastError) {
          // @corecode_begin removeAndRevokeAuthToken
          // @corecode_begin removeCachedAuthToken
          // Remove the local cached token
          chrome.identity.removeCachedAuthToken({token: current_token}, function(){});
          // @corecode_end removeCachedAuthToken

          // Make a request to revoke token in the server
          var xhr = new XMLHttpRequest();
          xhr.open(
          "GET", 
          "https://accounts.google.com/o/oauth2/revoke?token=" + current_token);
            
          xhr.send();
          // @corecode_end removeAndRevokeAuthToken

          // Update the user interface accordingly
          changeState(STATE_START);
          sampleSupport.log("Token revoked and removed from cache. " + 
            "Check chrome://identity-internals to confirm.");
        }
    });
}

Upvotes: 7

fgorski
fgorski

Reputation: 231

No. It is not the way to go.

removeCachedAuthToken is a function that removes a token acquired using getAuthToken from the internal token cache. However, it does not revoke the token. That means that the application will no longer be able to access to the user resources in current session, until it calls getAuthToken again. When that happens, it will be able to obtain a token again without the user needing to grant access.

As such, this function is not meant to be a logout related routine. It is more of a recovery mechanism, when you realize that the access token that your application is using is stale, or invalid in any other way. That happens, when you make a request using the access token and the HTTP response status is 401 Unauthorized. In that case you can scrap the token and then request a new one using getAuthToken. To simulate that behavior, you can revoke the a relevant grant using the Google Accounts page or form the diagnostic UI: chrome://identity-internals (currently it lists all of the cached tokens).

Please refer to the chrome app samples for GDocs and Identity. (Pull requests 114 for GDocs and 115 for Identity in case you are doing that in next few days.)

Upvotes: 6

Related Questions