Logout implementation with gwt-oauth2

[denish]

Hello guys,

I'm new to GWT and GWT-oAuth-2 and have to note that I'm finding this
library very cool.
I've implemented an application based on samples from library page.
Right now I'm trying to understand how to implement logout from google
account (after token validation and calling to few APIs).
After calling Auth.get().clearAllTokens() the token is removed but
actual logout wasn't performed. So my question is how to completely
logout from an account to which I've logged in?

Thanks,
Denis

[jasonhall]

Hi Denis,

As you have noticed, Auth.get().clearAllTokens() only removes the tokens from the client, it doesn't tell Google to revoke access to your client ID. Calling login() again will not ask the user to grant access. The tokens that get cleared are still valid and active, they are simply "forgotten" by the application.

There is a way to revoke a token from the server's perspective, and that is to make a GET request (probably through JSONP) to https://accounts.google.com/o/oauth2/revoke?token={{ YOUR_TOKEN}} -- this will render the token you pass to it invalid for future requests.

However, it will not entirely revoke access to your app, and calling login() again will give you a new valid token without asking the user to grant access. This is why this functionality is not included in the gwt-oauth2 library -- because I thought it would be confusing to users/developers, though I may add a method for it in the future.

At this time there doesn't appear to be a way to completely revoke access to your application entirely, such that a user has to explicitly grant access the next time they are logged in. I'm not sure whether this is what you're asking for, or if this would even be useful actually.

If you have any more questions please feel free to ask.

- Jason