The signout process in Google OIDC Authentication in Blazor Web Assembly is not work as expected

Question

The current implementation of logout in RemoteAuthenticationService in Blazor Web Assembly do not do any revoke request with Google Open Id Provider. The token requested in login step is valid and only clear from session storage and if there is a signout endpoint in OIDC provider it call it (In Google OIDC Provider there is not such endpoint but exist a revocation endpoint). How to make the token invalid? Does it necessary at all?

Answer 1

I personally think it is necessary to sigout or revoke the authentication because if every one go to login page it automatically do authentication without any confirmation from user (Which may not be the expected behavior) You should do a request to following url to revoke the token validity.

async function revokeGoogle(token) {
            await fetch("https://accounts.google.com/o/oauth2/revoke?token="+token,{"method": "GET",});
        }

We can do it in Authorization.razor component in case of logout action as below (_authService is the injected Access Token provider or Remote Authentication Service instance which is same in Blazor Web Assembly):

protected override async Task OnInitializedAsync()
    {
        switch (Action)
        {
            // In this case we also logout from google too. We should do it for sure
            case "logout":
                if (_authService is IAccessTokenProvider provider)
                {
                    var result = await provider.RequestAccessToken();
                    result.TryGetToken(out var token);
                    Console.WriteLine(token.Value);
                    await _js.InvokeVoidAsync("revokeGoogle", (object)token.Value);
                }
                break;

            default:
                break;
        }
        await base.OnInitializedAsync();
    }