how do i sign user out of my app? - api

I implementet Google+ Sign-In API in the root page of my app. It automatically signs in user if user is signed in to google, then API automatically signs him in to my app. The problem is that when user logs out of my app, he is redirected to root page which logs him back in, since he still is logged in to google.
You can see the whole code here: https://developers.google.com/+/web/signin/
wierd, they have "See also, signing the user out of your app."
link, but it's broken :(
Any ideas?

This is similar to this question:
Preventing automatic sign-in when using Google+ Sign-In
You could use a cookie that is set when the user is logged in on your site. If the user is logged in, indicated by the presence of the cookie, allow the user to automatically get redirected into your site. If the user is not logged in, require that the user click the sign-in button before you hide the button and redirect them to the signed-in experience. To log the user out, delete the cookie.

Related

Azure B2C logs out but user can sign in without credentials again

Setup Overview
I am using B2C custom policies for sign-in flow in react application using msal-react and msal-browser packages. The user is able to log in properly for the first time after entering credentials. Now when the user clicks logout, B2C logout popup shows up and it goes away instantly without asking the user to choose an account which is expected because the user is signed in with only a single account. The user is redirected properly.
Doc followed - [https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/logout.md
Issue
After successful logout, which seems to be happening properly as the UnAuthenticated template executes after login. When the user presses login again, it does not ask for any credentials, and user is signed in again which is a security issue. I am not sure what am I missing now. I have gone through all the MS docs multiple times and GitHub issues but did not find a solution
Flow:
Before First login - Session Storage and Cookies are empty,
After login - Session Storage has values and Cookies have 2 entries - x-ms-cpim-sso and x-ms-cpim-csrf
After logout - Both are cleared with no values
Click login again, values from step 2 come back in. But if you don't click login and try different app routes, it shows Unauthenticated template which has login button. So seems like user was correctly logged out
A few questions and helpful information
Is azure ad B2C considered as social sign in (federated entity) or is it considered a local account like Azure AD
I have read here that it does not assume logout from social IDP but I am not using anything other than B2C. In this GitHub, it also mentioned it is expected behaviour but how do I logout properly so that user is asked for credentials again. [https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2547
After pressing logout, if user is signed out from B2C as the app executes Unauthenticated template instead of Authenticated, how is it able to sign in again without any credentials.
Please guide me to solve this issue

Force Signed-In Google User to Login Again

If a google user is already signed-in (i.e. logged in), is there a way to prompt or force the user to login again? Specifically, I am looking for a URL that would prompt the user to type in their password again.
Try One-Tap Sign-Up and Auto Sign-In library Google announced last week.

How can we login multiple account on same browser

I am creating an app with Node.js express to display social media feeds using their API. I am using FACEBOOK, TWITTER, INSTAGRAM. When I click on any social media icon, a popup window is appearing to login. After logging in all of them. I clicked a button to display feeds. This is working good for single account. Now I want to login multiple account for every social media. But whenever I clicked another social media icon to login .I saw there is already logged in.
For example I click Facebook icon to login . After appearing model window I fill up my username(jrajput315) and password. After logging in this account, I want to login some other Facebook account. And I click Facebook icon to login again. But I see (jrajput315) is already logged in there.
Since you are already logged in to Facebook from one account, Facebook uses a sign-in cookie to keep you logged in. Until this cookie is flushed out, you cannot login through another facebook account on the same browser in the same session.
I guess similar practice happens with few other web-apps, if I am not mistaken.

Google OAUTH2 - how to detect user is already logged in

I'm using Google OAUTH2 for my website. I can successfully login using the google authentication.
Here is what I want to do is:
1) user goes to website homepage and user signs in by clicking "sign in with google" and login is successful and user is taken to logged user dashboard page.
2) user comes back after half hour, user goes to home page and they should get automatically redirected to logged in user dashboard instead of homepage since they already have a valid session.
question - how can you detect if the user is already logged in? Should I be storing the access_token in the session to detect this? what's the recommended way to acheive this with Google OAUTH2?
Yes, you can store the access token in the session, but keep in mind that it could be expired. You should be able to get a new one with an immediate request.
You could also try and do session synchronization from JavaScript, if your site does not have its own session management:
https://developers.google.com/+/web/api/javascript#gapiauthchecksessionstatesessionparams_callback

Devise force logout if logged out from facebook

I have the following scenario:
User logs in with Facebook connect (devise, omniauth)
User starts browsing around the site
User logs out from Facebook
User can still browse around. <-- how can I prevent this from happening?
I basically want to redirect the user to the login page if he is logged out from Facebook
I'm using Rails 3.1 with devise, omniauth.
I think you have a misconception here. Once the user has granted your app privileges to access the Facebook profile--either by virtue of being logged into Facebook in another browser tab, or by explicitly logging into Facebook when redirected--then the OAuth handshake it done and your user is authenticated. The authentication state is now kept locally with your app; you presumably have a session cookie with the user_id, which Devise will handle for you.
The Facebook login on the browser is only necessary to log in, not to authenticate each single request.
You could presumably run the OAuth handshake on every single request, but that would be a lot of performance overhead, and also Facebook may rate limit you.
What is the business case for this scenario? Why do you think you want this?