Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

No prompt for re-authentication with OAUth2. Why and how to force it?

Tags:

google-oauth

I would like to understand something please. I have an application based on oAuth2 with Google Accounts.

So, teh first time I connect to this website, I am redirected to the authentication page on Google domain. So I type my email and password and I dont check "trusted computer" (or "remember me", I dont remember the exact term).

The thing is if I reboot my computer or even delete my cookie (but not my history (tested with Chrome on Android phone), I am not prompted again for the authentication and I have directly access to the application.

I would like to understand why ? If somebody can explain it to me that should be great !

Thank you

like image 912
user2882219 Avatar asked Oct 15 '13 11:10

user2882219


People also ask

Why OAuth should not be used for authentication?

Let's start with the biggest reason why OAuth isn't authentication: access tokens are not intended for the client application. When an authorization server issues an access token, the intended audience is the protected resource. After all, this is what the token is providing access to.

How do I get OAuth 2.0 credentials?

To use OAuth 2.0 in your application, you need an OAuth 2.0 client ID, which your application uses when requesting an OAuth 2.0 access token. To create an OAuth 2.0 client ID in the console: Go to the API Console. From the projects list, select a project or create a new one.


1 Answers

You can actually force re-authentication in the Google OAuth api by passing &max_auth_age=0 to the auth URL.

Source:

Use the PAPE extension for further control of user authentication (optional) Use the max_auth_age parameter in the PAPE extension to ensure that the login session of the user at Google is recent. You may also specify max_auth_age=0 to force a password reprompt.

https://developers.google.com/accounts/docs/OpenID

It's a bit confusing because they talk about OpenID, but I'm doing this successfully with Google's provided OAuth2 libs.

like image 72
asuth Avatar answered Nov 02 '22 17:11

asuth