堆栈内存溢出
  简体   繁体   English

如何让Google停止在PassportJS中自动登录用户?

[英]How to make Google stop logging user in automatically in PassportJS?

 原文  2015-07-23 20:24:35       javascript/ node.js/ oauth/ google-oauth/ passport.js

问题描述

I am only allowing users to log in with a certain domain name. 我只允许用户使用某个域名登录。 This specific functionality works and is not the root of the problem. 此特定功能有效,而不是问题的根源。 The problem is that users get stuck in a sort of negative feedback loop when they attempt to log in with an incorrect email address. 问题是,当用户尝试使用不正确的电子邮件地址登录时,会陷入某种负面反馈循环。

可视化描述登录过程的图像

In reference to the picture above, a user (in a blank incognito page with no information) starts at step one. 参考上面的图片,用户(在没有信息的空白隐身页面中)从第一步开始。 Clicking login brings them to step two and then to step 3. Attempting to log in with an email address ending with an incorrect domain brings them to step 4. This is desired. 单击登录会将他们带到第2步,然后再到第3步。尝试使用以不正确的域结尾的电子邮件地址登录会使他们进入步骤4.这是必需的。

After step four, if they log out of the website, they are presented with step one. 在第四步之后,如果他们退出网站,则会显示第一步。 Which is desirable. 这是可取的。 The code for logging out is as follows. 注销的代码如下。 

app.get("/logout", function(req, res) {
    req.logout()
    req.session.destroy()
    res.clearCookie("connect.sid")
    res.redirect("/")
})

What happens after they click login again is what is undesirable. 再次点击登录后会发生什么是不可取的。 Instead of bringing them back to step 2 (desired, so they can log in again with their CORRECT email address), it brings them straight to step four. 而不是将它们带回到第2步(期望,因此他们可以使用他们的CORRECT电子邮件地址再次登录),而是将它们直接带到第4步。 It is as if Google is remembering who logged in last. 好像Google记得最后登录的是谁。

Here is the code for my passport.js configuration file . 这是我的passport.js配置文件代码

Short Question: How can I signal to Google not to do this? 简短问题:我如何向Google发出不要这样做的信号? Or trigger the browser to allow them to log in again? 或者触发浏览器允许他们再次登录? I am at a loss. 我很茫然。

Extra Details: In the Oauth2.0 Documentation for Google , it mentions hd and realm, which can restrict logins to a certain domain. 额外详细信息:GoogleOauth2.0文档中 ,它提到了hd和realm,它可以限制登录到某个域。 But I do not know how I would configure this in the PassportJS configuration file. 但我不知道如何在PassportJS配置文件中配置它。

2 个解决方案

解决方案1
 8 已采纳  2015-07-24 07:53:44

I think what you want is to prompt the user to select their account. 我想你想要的是提示用户选择他们的帐户。 Similar situation to a previous question which I answered. 与我之前回答的问题类似的情况。 This way the users will clearly choose which account they wish to use, even if they have already signed in before. 这样,用户将明确选择他们希望使用的帐户,即使他们之前已经登录过。

Add the parameter prompt=select_account to your authorization request. 将参数prompt=select_account添加到您的授权请求中。 

app.get(
    "/auth/google",
    passport.authenticate(
        "google",
        {
            scope : ["profile", "email"],
            prompt : "select_account" // Added here
        }
    )
)

This will cause the account chooser to always be shown, even if the user is only logged in to one account. 这将导致始终显示帐户选择器,即使用户仅登录到一个帐户也是如此。 Users will be able to select from their accounts, or add a new one. 用户可以从他们的帐户中进行选择,也可以添加新帐户。

For example: https://accounts.google.com/o/oauth2/auth?redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&response_type=code&client_id=407408718192.apps.googleusercontent.com&scope=profile+email&access_type=offline&prompt=select_account 例如: https//accounts.google.com/o/oauth2/auth?redirect_uri = https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&response_type=code&client_id=407408718192.apps.googleusercontent.com&scope=profile+email&access_type=offline&prompt = select_account

Also, if you wish to restrict access based on a domain, and that domain is a Google Apps for Work domain, the most correct way to do this is to inspect the hd param in the ID Token. 此外,如果您希望基于域限制访问,并且该域是Google Apps for Work域,则最正确的方法是检查ID令牌中的hd参数。 How to process the ID Token , and extract the hd claim. 如何处理ID令牌 ,并提取hd索赔。

解决方案2
 1  2015-07-24 06:44:53

You can revoke the token on your end if you're not satisfied with the email used. 如果您对所使用的电子邮件不满意,可以撤销您的令牌。 You have to make one additional request to revoke the access token for that account to your OAuth app. 您必须再提出一项请求,才能将该帐户的访问令牌撤销到您的OAuth应用。

In your route callback execute this code (example using the request module): 在您的路由回调中执行此代码(使用request模块的示例): 

request.get('https://accounts.google.com/o/oauth2/revoke', {
  qs:{token:'[ACCESS or REFRESH TOKEN]'}
}, function (err, res, body) {

})

After that the user will be prompted again on subsequent login attempt. 之后,将在后续登录尝试时再次提示用户。

Take a look at @William Denniss's answer as well, if you want to be prompted each time for a user login. 如果您希望每次都提示用户登录,请查看@William Denniss的答案

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用KoaJS和PassportJS自动登录用户 - Automatically logging in a user with KoaJS and PassportJS node / passportjs登录并重定向后如何用欢迎用户更新主页 - node/passportjs how to update homepage with welcome user, after logging in and redirect 如何使用passportJS切换用户配置文件 - How to switch user profiles with passportJS 如何在PassportJS中获取Facebook用户图像? - How get the facebook user image in PassportJS? 如何在nodejs passportjs中实现用户角色 - How to implement User roles in nodejs passportjs 如何让谷歌表单自动填写 - How to make google form fill itself automatically Google Chrome自动填充用户凭据,使其停止 - Google Chrome Auto Fill User Credentials, Make it STOP 如何阻止json Data在Google Chrome中自动排序? - How to stop json Data to automatically sorting in Google Chrome? 当我使用 cypress 时,如何阻止网站自动将我注销? - how do I stop a website from automatically logging me out when I'm using cypress? passportjs +facebook + 当前用户 - passportjs +facebook + current User
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM