How to Log User out of an App that uses Google OAuth2 Sign-In?

Question

I've implemented a Google OAuth2 login flow in my web-server app (using python/flask). My app redirects the user to Google, where they sign in with Google credentials and get directed back to my app.

I'm having trouble deciding how to implement the Logout functionality for this app. I can clear the app's session cookies, but that doesn't log the user out of their Google a/c. So if the user hits Login after logging out, the redirect goes to Google and since the user is still signed into Google, they're automatically (without even being prompted to re-enter credentials) signed back in to my app.

This SO answer here seems to give a good overview of why its bad practice to force the user to log out of all Google services. If that's the only way out, I'll do it, but I'm assuming there's a more elegant solution out there?

FWIW, 'revoking' Google access tokens also doesn't work. My app uses the profile and email scopes for OAuth2 (see this doc). These don't require explicit 'permission-granting' by the user, so there's no such thing as revoking access to these scopes that would force users to be re-prompted at login time.

In case it helps, I used mostly this doc to implement the OAuth2 flow functionality. I could post my code, but (1) It's all in that article, and (2) Unless you're unfamiliar flask/oauth2, it should be irrelevant to answering this question I think.

Any thoughts would be great, thanks.

Answer 1

The trick is to add prompt='consent'. There are different places to add it depending on the API's you are using. Here is one example based on bookshelf app:

from oauth2client.contrib.flask_util import UserOAuth2
oauth2 = UserOAuth2()
oauth2.init_app(
    app,
    scopes=['email', 'profile'],
    authorize_callback=_request_user_info,
    client_id=app.config['GOOGLE_OAUTH2_CLIENT_ID'],
    client_secret=app.config['GOOGLE_OAUTH2_CLIENT_SECRET'],
    prompt='consent'
)