Logging in via Google, without logging into Google

Question

Out of curiosity, when I log into a site like StackOverflow via OpenID or similar (Google, Facebook, etc.), I get also logged into the identity provider itself (e.g. Google).

Is there a way that users can log into my site using a third party identity, without being logged into that identity itself?

I'm aware that Google sign-in works differently than others, by using Google Sign-In. I'm interested in a general answer for all the popular login services (Google, Facebook, Twitter, ...) whether they are based on OpenID (2.0), OAuth, or a proprietary solution, e.g.: "With OpenID, that works if you do so-and-so. For Google, that is not possible, because technical reason."

Answer 1

The behavior you describe is possible (and an IDP could easily implement it) but is not desirable for multiple reasons.

1. It trains users for phishing. Because after clicking "sign-in" users are supposed to enter id and pw, so one could easily show a login page and users will type their info.
2. Of course it is not convenient for users.
3. From a risk and pw cracking perspective, it is better to do a lot of "checks" when a user signs in and may be require extra checks (like ping the phone or ask questions) and then create a logged in session.

I understand the desire that a user shouldn't get signed into IDP as a side effect and you could easily achieve that if you are writing the IDP code or alert the user to sign out of IDP when they are back to your site.

Answer 2

OpenID/ OAuth is a general "protocol" that allows a site (e.g. stackoverflow) to reside on an identity provider (e.g. Google) for authentication. This includes a transaction where

1. You tell stackoverflow that you will use goole for login
2. stackoverflow will send to to Google to get authenticated with a redirect url.
3. Google will authenticate you, effectively will log you in their services (so as to know you are you)
4. Google (And any other Identity provider) should ask you if you want your email and other information to be sent to stackoverflow
5. If you agree google will send this info to the consumer (stackoverflow)
6. From this point on it is up to the auth consumer (e.g. stackoverflow) to accept this information (your email) as valid.

Any scheme that does not go through the ID provider's login (step 3), will expose your credentials to a (possibly) untrusted third party (would you wnat stackoverflow to have your google password?)

Step 3 also installs a cookie on your machine which contains your session with Google. It is up to Google (or any ID provider) to consider this session valid for all other uses (Gmail etc) but it is a convenient feature anyway

If you already have an established session with Google, it possibly won't require you to log in again.