In my web application, I allow users to login using the auth command in the API Client Library but I cannot find a Logout option for the Google API JavaScript Client Library.
Can any one suggest how can i Logout of my application as well as google account??
My Login Code is:
var OAUTHURL = 'https://accounts.google.com/o/oauth2/auth?';
var VALIDURL = 'https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=';
var SCOPE = 'https://www.googleapis.com/auth/userinfo.profile';
var CLIENTID = googleAPI;
var REDIRECT = redirectUrl;
var TYPE = 'token';
var _url = OAUTHURL + 'scope=' + SCOPE + '&client_id=' + CLIENTID + '&redirect_uri=' + REDIRECT + '&response_type=' + TYPE;
var acToken;
var tokenType;
var expiresIn;
var user;
$('#googleLogin').click(function(){
var win = window.open(_url, "windowname1", 'width=800, height=600');
var pollTimer = window.setInterval(function () {
if (win.document.URL.indexOf(REDIRECT) != -1) {
window.clearInterval(pollTimer);
var url = win.document.URL;
acToken = gup(url, 'access_token');
tokenType = gup(url, 'token_type');
expiresIn = gup(url, 'expires_in');
win.close();
validateToken(acToken);
}
}, 100);
});
function validateToken(token) {
$.ajax({
url: VALIDURL + token,
data: null,
success: function (responseText) {
getUserInfo();
},
dataType: "jsonp"
});
}
Do not log your users out of their Google Account when they sign out of your application. This behavior is unexpected and annoying to users.
You should, at most, be trying to figure out how to "log out" users of your application. (I put it in quotes, because depending on your implementation, the app might be faking it).
If you care only about hiding elements in the UI, you can set a variable, e.g.
signedIn
, and set or unset it when the user hits a login/logout button. If you care about persisting this state across sessions, use a cookie that stores the same value.If you want to make sure the person on the other side of the keyboard is really the signed in user, you can use the
max_auth_age
parameter on theauthorize
call. If you set it to0
, users will need to re-authenticate with Google before your app gets a valid token. If you pair this with an automatic session expiration (like you'd see on a bank or health website), you can be relatively confident of the identity of the current user.If you relax the requirement to log out users from their Google account (as Dan explained, it's not a good idea) you can just revoke the OAuth token as explained in this other question.