Google OAuth check if user logged out from Google

Question

After user being logged in with Google OAuth - is it possible to check if later user get logged out from Google?

Scenario:

1. User logged in in Google
2. User logged in on mysite.com using Google OAuth, and login state stored in session for 1 year.
3. User logged out from Google, but forgot to log out from mysite.com
4. After one week someone stoled user's laptop. Thief won't be able to use Google but will be able to re-use logged in user session on mysite.com

I wonder what are the ways to prevent such situation?

I don't want to put this burden on user - log out him from mysite.com and ask to log in again every day.

Would like instead use something automatic like:

• When you logged in with Google OAuth you get some sort of ID
• Every day you validate that that original session is still active, by calling something like

google.com/api/is-original-session-still-active?id=ID

Answer 1

Note: I suspect that you have your terminology incorrect i suspect you are using Openid connect and not OAuth2 to sign-in your users. However i will answer this question based upon Oauth2 as that's what you say you are using.

Oauth2

Oauth2 is used to grant an application access to a users data. When using an oauth2 token you are acting on behalf of the user. There is in fact no user interaction when using Oauth2 tokens.

If a user consents to your application accessing their data you will get an access token and a refresh token. Access tokens are good for an hour. Refresh tokens are long lived and will give you access to a users data for as long as the user doesnt remove your consent and that you use it at least every six months.

As Oauth2 is without user interaction there is no way to use it to see if a user is logged into their account. There is actually no Google api that would give you this information. This would IMO be considered privet user information and not something that google should be sharing with third party applications.

Suggestions

You may want to consider some changes to your application.

1. implement logout everywhere. If the user changes their password then all of the devices they have logged in should automatically need to be re-authenticated.
2. Your sessions should be good for only a week or two and you should enable sliding.
3. Tell your users to remove the consent of your application to their data this will also force them to have to relogin.

Answer 2

Specifically to know about user account security events that could impact users of your app if your app is using Sign In With Google, consider registering your app to receive events for Cross Account Protection.