如何注销使用 OAuth2 登录 Google 的应用程序? [英] How to Logout of an Application Where I Used OAuth2 To Login With Google?
问题描述
在我的应用程序中,我使用 jsapi 实现了 Google 注销.
我使用了网址 https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=xxxxxx 连接到 Google,然后 https://www.googleapis.com/plus/v1/people/xxxxxx 从谷歌个人资料中获取用户数据.
现在,我需要在单击应用程序中的按钮时从 Google 注销用户.我如何在 JavaScript 中实现这一点,或者至少每次用户登录时它都必须询问 Google 登录页面.
我尝试了 approval_prompt=force
,但似乎不起作用.
OAuth 概述:用户是他/她所说的吗?:
我不确定您是否使用 OAuth 登录 Stack Overflow,例如使用 Google 登录"选项,但是当您使用此功能时,Stack Overflow 只是询问 Google 是否知道您是谁:
<块引用>Yo Google,这个 Vinesh 家伙声称 vinesh.e@gmail.com 是他,这是真的吗?"
如果您已经登录,Google 会说是".如果没有,Google 会说:
<块引用>等一下 Stack Overflow,我会验证这个家伙的身份,如果他可以为他的 Google 帐户输入正确的密码,那就是他".
当您输入 Google 密码时,Google 会告诉 Stack Overflow 您就是您所说的那个人,然后 Stack Overflow 会让您登录.</p>
当您退出应用程序时,您将退出您的应用程序:
这里是 OAuth 新手有时会感到困惑的地方... Google 和 Stack Overflow、Assembla、Vinesh's-very-cool-slick-webapp 都是不同的实体,而 Google 对您在 Vinesh 的酷 Web 应用程序上的帐户一无所知,反之亦然,除了通过您用来访问个人资料信息的 API 公开的内容.
当您的用户退出时,他或她不是在退出 Google,而是在退出您的应用程序、Stack Overflow、Assembla 或任何使用 Google OAuth 进行身份验证的 Web 应用程序用户.
事实上,我可以退出我所有的 Google 帐户,但仍然可以登录 Stack Overflow.一旦您的应用知道用户是谁,该用户就可以退出 Google.不再需要 Google.
话虽如此,您要求做的是将用户从真正不属于您的服务中注销.可以这样想:作为用户,如果我使用 Google 帐户登录 5 个不同的服务,您认为我会有多生气,然后我第一次退出其中一个服务时,我必须登录我的 Gmail 帐户又是因为那个应用程序开发人员决定,当我退出他的应用程序时,我也应该退出谷歌?那真的会老得很快.简而言之,您真的不想这样做...
嗯嗯,不管怎样,我还是想让用户退出 Google,告诉我该怎么做?
话虽如此,如果您仍然想要从 Google 注销用户,并且意识到您很可能会破坏他们的工作流程,您可以从他们的其中一个动态构建注销 URLGoogle 服务注销按钮,然后使用 img 元素或脚本标记调用该按钮:
或
<img src="https://mail.google.com/mail/u/0/?logout&hl=en"/>
或
window.location = "https://mail.google.com/mail/u/0/?logout&hl=en";
如果您将用户重定向到注销页面,或从不受跨域限制的元素调用它,用户将从 Google 注销.
请注意,这并不一定意味着用户将从您的应用程序中注销,只会从 Google 注销.:)
总结:
需要注意的是,当您退出应用时,您无需让用户重新输入密码.这就是重点!它针对 Google 进行身份验证,因此用户不必在他或她使用的每个 Web 应用程序中一遍又一遍地输入他或她的密码.这需要一些时间来适应,但要知道,只要用户登录了 Google,您的应用程序就无需担心用户是否是他/她所说的那个人.
我在一个项目中与您有相同的实现,使用 OAuth 的 Google 个人资料信息.我尝试了你想要尝试的同样的事情,当人们不得不一遍又一遍地登录谷歌时,它真的开始让人们生气,所以我们停止将他们从谷歌中注销.:)
In my application, I implemented Google signout using jsapi.
I used the url https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=xxxxxx to connect to Google and then https://www.googleapis.com/plus/v1/people/xxxxxx to get user data from google profile.
Now I need to signout the user from Google while clicking a button from my application. How can I implement this in JavaScript, or at least it must ask the Google login page every time the user signs in.
I have tried approval_prompt=force
, but seems not to be working.
Overview of OAuth: Is the User Who He/She Says He/She is?:
I'm not sure if you used OAuth to login to Stack Overflow, like the "Login with Google" option, but when you use this feature, Stack Overflow is simply asking Google if it knows who you are:
"Yo Google, this Vinesh fella claims that vinesh.e@gmail.com is him, is that true?"
If you're logged in already, Google will say YES. If not, Google will say:
"Hang on a sec Stack Overflow, I'll authenticate this fella and if he can enter the right password for his Google account, then it's him".
When you enter your Google password, Google then tells Stack Overflow you are who you say you are, and Stack Overflow logs you in.
When you logout of your app, you're logging out of your app:
Here's where developers new to OAuth sometimes get a little confused... Google and Stack Overflow, Assembla, Vinesh's-very-cool-slick-webapp, are all different entities, and Google knows nothing about your account on Vinesh's cool webapp, and vice versa, aside from what's exposed via the API you're using to access profile information.
When your user logs out, he or she isn't logging out of Google, he/she is logging out of your app, or Stack Overflow, or Assembla, or whatever web application used Google OAuth to authenticate the user.
In fact, I can log out of all of my Google accounts and still be logged into Stack Overflow. Once your app knows who the user is, that person can log out of Google. Google is no longer needed.
With that said, what you're asking to do is log the user out of a service that really doesn't belong to you. Think about it like this: As a user, how annoyed do you think I would be if I logged into 5 different services with my Google account, then the first time I logged out of one of them, I have to login to my Gmail account again because that app developer decided that, when I log out of his application, I should also be logged out of Google? That's going to get old really fast. In short, you really don't want to do this...
Yeh yeh, whatever, I still want to log the user out Of Google, just tell me how do I do this?
With that said, if you still do want to log a user out of Google, and realize that you may very well be disrupting their workflow, you could dynamically build the logout url from one of their Google services logout button, and then invoke that using an img element or a script tag:
<script type="text/javascript"
src="https://mail.google.com/mail/u/0/?logout&hl=en" />
OR
<img src="https://mail.google.com/mail/u/0/?logout&hl=en" />
OR
window.location = "https://mail.google.com/mail/u/0/?logout&hl=en";
If you redirect your user to the logout page, or invoke it from an element that isn't cross-domain restricted, the user will be logged out of Google.
Note that this does not necessarily mean the user will be logged out of your application, only Google. :)
Summary:
What's important for you to keep in mind is that, when you logout of your app, you don't need to make the user re-enter a password. That's the whole point! It authenticates against Google so the user doesn't have to enter his or her password over and over and over again in each web application he or she uses. It takes some getting used to, but know that, as long as the user is logged into Google, your app doesn't need to worry about whether or not the user is who he/she says he/she is.
I have the same implementation in a project as you do, using the Google Profile information with OAuth. I tried the very same thing you're looking to try, and it really started making people angry when they had to login to Google over and over again, so we stopped logging them out of Google. :)
这篇关于如何注销使用 OAuth2 登录 Google 的应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!