Firebase auth with google or facebook, not asked password while re signing in after signout

[Vinodh Kumar Reddy]

I have a scenario like below.

User connects with gmail to authenticate using firebase auth as google provider

once user is established login first time a user account is created on firebase and user is allowed to use the app functionality.

now user signs out from the app, i call firebase.auth.signout() and get sucess call back, which means signout went without problems.

Now if the user comes back to the app and try to connect, using the Gmail again, the user is not being asked to provide password, instead it is directly signing in.

How to force User to login with password everytime after signout ?

Same scenario is noticed in facebook usage also.

This is a serious problem for our use case, because our web application is being used by multiple service reps 

once a rep is signout, and a different service rep try to connect, it is automatically signing in previously signed out user.

Please let us know if there is any thing missed in the implementation, appreciate guidance.

[Jacob Wenger]

This is actually expected behavior and how most apps work. See this related thread for more details.

Cheers,

Jacob

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/f8247218-1b9f-43a6-925e-3191d0a11999%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[pre...@live.co.uk]

Very helpful Jacob (...not)

The first time you sign in with google, google checks that you want to give permission for the app to access your google info. The next time you sign in (either after signing out, or on another device with the same google profile) you will be automatically signed in because google knows that the app already has permission.

I want to extend this question by asking (and hopefully Jacob or someone else can provide a useful answer): how can we check that the user does not want to sign in with a different account if the device or browser profile has multiple accounts associated with it, rather than just signing in with the active account that might already have permissions? This is also expected behaviour and I'm sure that an answer to this would be very useful for a lot of people. Otherwise there would be no point in having the signout functionality. Most users sign out for the sole purpose of being able to sign back in with a different account. Whether that is a single user with multiple accounts, or a single device used by multiple users as in Vinodh's example.

Vinodh - for now I would suggest that you think of a workaround e.g. have multiple user profiles (stored in your database) for a single authenticated user, depending on the situation of trust between your service reps, do you want to trust them to switch to their account and not use somebody elses? If each needs to be secure, you will need to implement your own authentication for individual reps within the database. I won't get into it now but feel free to ask if you don't have ideas how to do this.

Hope this helps a bit.

On Monday, November 14, 2016 at 5:45:49 PM UTC, Jacob Wenger wrote:

This is actually expected behavior and how most apps work. See this related thread for more details.

Cheers,

Jacob

On Sat, Nov 12, 2016 at 7:18 AM, Vinodh Kumar Reddy <vinod.k...@gmail.com> wrote:

I have a scenario like below.

User connects with gmail to authenticate using firebase auth as google provider

once user is established login first time a user account is created on firebase and user is allowed to use the app functionality.

now user signs out from the app, i call firebase.auth.signout() and get sucess call back, which means signout went without problems.

Now if the user comes back to the app and try to connect, using the Gmail again, the user is not being asked to provide password, instead it is directly signing in.

How to force User to login with password everytime after signout ?

Same scenario is noticed in facebook usage also.

This is a serious problem for our use case, because our web application is being used by multiple service reps 

once a rep is signout, and a different service rep try to connect, it is automatically signing in previously signed out user.

Please let us know if there is any thing missed in the implementation, appreciate guidance.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

[Samuel Stern]

Hi Prenna,

It's important to understand that there are really two different ways you can "sign out" in this situation, and they do different things.  The call you are making signs the user out of Firebase Auth, which means they no longer have access to protected resources like your Realtime Database data.  However it does not revoke the underlying Google Sign In token, which gives your app the right to access the user's Google account (normally just their email and name unless you asked for more).

If you want to revoke that authorization so that the user gets a clean slate when they try to sign in again, you need to use the Google Sign In API directly and call sign out:

https://developers.google.com/identity/sign-in/web/sign-in#sign_out_a_user 

This will allow the user to choose a new account by clearing the local session, If you want to take it even further you can call "disconnect" which revokes all access that your app has to their Google account across devices:

https://developers.google.com/identity/sign-in/web/disconnect

Hope that helps!

- Sam

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/8ca09915-2e8d-4cdd-a194-1a2a817fbb85%40googlegroups.com.