Reputation: 634
Proper way to manage user session for OAuth2
We are using google oauth2 permitting users to use their existing google accounts to log in to our system.
After being authenticated what is the proper way to manage active user session in our app for ex.
Let's suppose the user has logged in to our system with google account A. Then user logs out/changes google account to account B but not within our app but rather from its gmail. Should we also log him out him from our app??? (which seems to me bizarre and impossible as soon as there should be google API to check that the given user at the given time is logged in to google services).
The only way which seems to me reasonable is to invalidate user session after given timeout and only then we could make user re-pass oauth2 authorization flow.
Thanks in advance for your help.
Upvotes: 1
Views: 2132
Answers (1)
Reputation: 22603
The access_token or id_token your acquire from the Google OAuth2 Login flow is not coupled with the login sessions in the various Google apps (gmail, plus, ....).
There's no way for your app to know that the the user logged out of his gmail. Your app shouldn't care.
If your web app makes it clear to the user what account has been used to login initially (by displaying a username/picture or other info retrieved from the Google User Info call you should be ok.
Most users will not try to link your web application session with a gmail session for example.
Upvotes: 2
Related Questions
- How to keep logged in to an OAuth2 Authentication Server?
- Session handling in Google oauth
- Best way to use Google APIs using OAuth 2.0 on Android
- Java backend: REST, authenticated with Google sign in, now what?
- How to manage google sign-in session (Google Sign-In JavaScript client)
- Authenticating a user using Google
- Session handling in OAuth
- Setting up oauth for simple single-user desktop application
- Authenticate Google App users with Google OAuth2 API
- 2-legged OAuth with google-api-java-client