Google OAuth2 'log out'

[Dennis Coert]

Hello,

I am building a "Log in with Google" mechanic for a website. I seem to have that working, but I must either be doing something wrong, or searching for the wrong thing in trying to get the logging out to work.

The process now involves these steps:

- The Log in screen has a button that allows the user to log in using Google. That button redirects the user to "https://accounts.google.com/o/oauth2/auth". 

- The user logs in there using his google credentials

- The user is sent back to the login page (as set in the redirect_uri parameter)

- The login screen uses the code returned and calls "https://accounts.google.com/o/oauth2/token" to verify the code

- We then call "https://www.googleapis.com/oauth2/v1/userinfo" to retrieve user info with that token

- Based on the userinfo we get we log a specific user in on the website

The problem arises when a user logs out. If someone then presses the "Log in with Google"-button again he is logged in on the previously used account right away. This would be okay(-ish) if it was on a personal pc, but this is rarely the case. I've been looking for a way to "log the user out" or "force a new log in", but nothing I've found works or has the intended effect.

Adding the "prompt=select_account" parameter to the initial redirect at least allows the user to pick an account, and thus log in to another, but that in no way prevents anyone from simply using the account already there.

Am I approaching this wrong or is there a "forced relogin" or "log out" I simply cannot find?

Thanks in advance,

Dennis