oauth-2.0oauthgoogle-oauthpassport.jspassport-google-oauth2

Passport.js sign in with Google - req.logout signs out of my site but leaves the google account signed in?


I am adding sign in with Google to my website using passport.js

Login / out correctly creates and destroys the session on my server so from my site's perspective everything is fine.

However, after logout, the browser is still signed in to Google (I can go to Gmail for example and it doesn't require credentials)

On a private computer this would be OK, but it seems scary-bad on a shared/public device - I wouldn't have expected to need to sign out from Google AFTER signing out from the website.

So, questions:

  1. Is my concern about a shared device valid?
  2. If the answer to 1 is yes, how do I "properly" sign out when necessary? I don't see anything in Passport.js to do that

Solution

    1. Yes, you are right about your concerns. If a user logs in on a shared device she will leave her Gmail logged in.

    2. The answer is — you can't initiate a sign-out at Google from your website. These are two completely unrelated user sessions, and Google is in control of that session, not you. All you can do is properly inform the user about the dangers of using federated login on a shared device. The user is responsible for signing out from all the websites she has logged in to.