The "remember me" checkbox has only meaning when the user is logged in to google.
when he logs into another account, google will no longer authenticate the previous account, and instead use the one he is logged into.
In steps:
- User logs in as [email protected] to Google
- User clicks "sign in with Google" at the site
- Google asks the user for permission to authenticate, and asks whether to remember that permission (and not the user)
- User is signed in, but decides that it was a bad idea to authenticate with this account
- User logs out at the site and at Google
- User logs in at Google as [email protected]
- User clicks "sign in with Google" at the site
- Since now another user is signed in, and he didn't permit to authenticate yet, Google asks for the permission, as in step 3.
- User has allowed the auth, so now Google returns a different identifier, the one for [email protected], and neither Google nor the site have any knowledge that the two accounts are connected in any way. The site sees two separate users, and so does Google.
Also, it doesn't seem like a best idea to limit your users to one provider. OpenID is all about decentralization -- you should at least allow to manually enter an identifier.
And again: "remember me" means: "Don't ask me for the permission to send that data the next time.", and not "Remember that the one using this machine is me"(that's the "remember me" when you log in to Google).
And no, there is no way to either revoke the user's permission automatically, or know that he has one remembered, and I don't see any reason why you might want to.