dotnetopenauth - how to bounce login on Google's end
Question
I have a website that allows users to login w/ their google account, http://urlme.cc
Issue: user Bob logs in as bob@gmail.com, then logs back out, and THEN decides that he wants login as bob-at-home@gmail.com, one of his alternate gmail address, he can't do that. If he leaves the "remember me" checkbox checked on google's login page, it'll remember him. Is this possible? I know the user can manually revoke the association on " https://www.google.com/accounts/IssuedAuthSubTokens ", but, there's got to be an easier way where I as the developer can revoke it for him.
Please let me know if I need to word this better!
1 answers
solution1
1 ACCPTED 2010-08-13 11:37:16
The "remember me" checkbox has only meaning when the user is logged in to google.
when he logs into another account, google will no longer authenticate the previous account, and instead use the one he is logged into.
In steps:
- User logs in as bob@gmail.com to Google
- User clicks "sign in with Google" at the site
- Google asks the user for permission to authenticate, and asks whether to remember that permission (and not the user)
- User is signed in, but decides that it was a bad idea to authenticate with this account
- User logs out at the site and at Google
- User logs in at Google as bob-at-home@gmail.com
- User clicks "sign in with Google" at the site
- Since now another user is signed in, and he didn't permit to authenticate yet, Google asks for the permission, as in step 3.
- User has allowed the auth, so now Google returns a different identifier, the one for bob-at-home@gmail.com, and neither Google nor the site have any knowledge that the two accounts are connected in any way. The site sees two separate users, and so does Google.
Also, it doesn't seem like a best idea to limit your users to one provider. OpenID is all about decentralization -- you should at least allow to manually enter an identifier.
And again: "remember me" means: "Don't ask me for the permission to send that data the next time.", and not "Remember that the one using this machine is me"(that's the "remember me" when you log in to Google).
And no, there is no way to either revoke the user's permission automatically, or know that he has one remembered, and I don't see any reason why you might want to.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.