Google oAuth doesn't invalidate token string after log out from Google

Question

I use Google oAuth to login my website. This is perfectly works fine for sign in. But it doesn't work for logout.

I do below,

1. Get idTokenString from Google API
2. Keep it with my session
3. Verify this token for each request by GoogleIdTokenVerifier

When user does below action google doesn't invalidates the token instead it sends success response.

1. A user logged in Google
2. Access my website by allow access
3. The user Logged out from google
4. The user accesses my website,
5. My system sends the token to verify it.
6. Google gives me idToken, so my system allows the user to access my website

When the user closes the browser and come back then the token invalidated and my system doesn't allow. But without closing the browser it doesn't work

Answer 1

This is the expected behavior. If user is logging out of the google it will not logout from your application as well. However, there is a work around if you want to logout user from your application and want google to be also logged out. You just have to clear all the cookies from the browser programatically OR you could dynamically build the logout url from one of their Google services logout button, and then invoke that using an img element or a script tag in your application.

<script type="text/javascript" 
    src="https://mail.google.com/mail/u/0/?logout&hl=en" />

OR

<img src="https://mail.google.com/mail/u/0/?logout&hl=en" />

OR

window.location = "https://mail.google.com/mail/u/0/?logout&hl=en";