I've connected with Google using Hybridauth. But once I've given authorization for the app to access my account, it doesn't ask for it again even if I logout from all providers and destroy the session.
Sure, it does ask me to log in if I've logged out of my Google account. But doesn't ask for authorization again.
Highlights of the Logout code:
session_start();
require_once( "hybridauth/Hybrid/Auth.php" );
$hybridauth = new Hybrid_Auth('hybridauth/config.php');
$hybridauth->logoutAllProviders();
session_destroy();
Is there a way in which the user will have to re-authorize the app (Allow | Deny) every time he logs out? Or doesn't Hybridauth provide an option to forcefully revoke the authorization code (or refresh token)?
$config = array(
.
.
"approval_prompt" => "force", // optional
.
)));
The approval_prompt option takes care of forcefully asking authorization every time the user logs in. It's not ideal for production environment of course, but just to test out your app on the local server.
The approval_prompt Can be "force or auto". The default is auto, so a given user should only see the consent page for a given set of scopes the first time through the sequence. If the value is force, then the user sees a consent page even if they have previously given consent to your application for a given set of scopes.