I have a website where I use Oauth to log users into Gmail, and then retrieve their contacts and other info. What do I need to do to ensure that when the user logs-off my website, he automatically logs out from Gmail too?
As far as I know, there is no logout in OAuth. You simply stop sending tokens between your application and Gmail.
This may be a shortcoming of the 3-legged OAuth flow. The user must sign into their account to provide consent, but once they provide the consent, the OAuth flow takes them away from Gmail. Since users are in a different mind-set when signing in to provide consent vs. signing in to send/check email, they may not realize that they remain signed in after the user flow returns to the OAuth consumer.
I have this issue with Gmail as well as Yahoo and WindowsLive.
In the absence of a standard, I'm considering modifying the user experience on my site to make it more obvious to the the user that they remain signed into their Gmail account and will remain so until they actively sign out. My best option at this point is to add a 'sign out' link beside the Gmail icon on my site. This 'sign out' link will launch (yet) another popup to navigate to the Gmail/Yahoo/WindowsLive Sign Out page.
I'm not in love with this approach, it would be better if my 'sign out' link could sign the user out without requiring a popup window. IE my application would sign out on behalf of the user by hitting an OAuth sign out endpoint.
A less explicit approach would be to load the gmail logout page (https://mail.google.com/mail/u/0/?logout&hl=en) in a hidden iframe on my site, when the user clicks on my 'sign out' link. This would have the UX I'm after.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With