tags:

views:

51

answers:

1
+1  Q: 

dotnetopenauth - how to bounce login on Google's end

I have a website that allows users to login w/ their google account, http://urlme.cc

Issue: user Bob logs in as [email protected], then logs back out, and THEN decides that he wants login as [email protected], one of his alternate gmail address, he can't do that. If he leaves the "remember me" checkbox checked on google's login page, it'll remember him. Is this possible? I know the user can manually revoke the association on "https://www.google.com/accounts/IssuedAuthSubTokens", but, there's got to be an easier way where I as the developer can revoke it for him.

Please let me know if I need to word this better!

+1  A: 

The "remember me" checkbox has only meaning when the user is logged in to google.

when he logs into another account, google will no longer authenticate the previous account, and instead use the one he is logged into.

In steps:

  1. User logs in as [email protected] to Google
  2. User clicks "sign in with Google" at the site
  3. Google asks the user for permission to authenticate, and asks whether to remember that permission (and not the user)
  4. User is signed in, but decides that it was a bad idea to authenticate with this account
  5. User logs out at the site and at Google
  6. User logs in at Google as [email protected]
  7. User clicks "sign in with Google" at the site
  8. Since now another user is signed in, and he didn't permit to authenticate yet, Google asks for the permission, as in step 3.
  9. User has allowed the auth, so now Google returns a different identifier, the one for [email protected], and neither Google nor the site have any knowledge that the two accounts are connected in any way. The site sees two separate users, and so does Google.

Also, it doesn't seem like a best idea to limit your users to one provider. OpenID is all about decentralization -- you should at least allow to manually enter an identifier.

And again: "remember me" means: "Don't ask me for the permission to send that data the next time.", and not "Remember that the one using this machine is me"(that's the "remember me" when you log in to Google).

And no, there is no way to either revoke the user's permission automatically, or know that he has one remembered, and I don't see any reason why you might want to.

Mewp  2010-08-13 11:37:16
There *is* a "PAPE" extension to OpenID that's supposed to allow the RP to require the user re-log in to Google, which would give the user a chance to change which Google account they're using. But reports are that Google's support for PAPE are limited at best. I'm with @Mewp. The best course of action is to have bob log out of Google before trying to log into your site as someone other than Bob. This is the normal and accepted flow.
Andrew Arnott  2010-08-13 13:32:26
Re: step 5, how would they do this? Go to gmail and log out? Not super intuitive, especially for someone who gets a google account for the 1st time. It looks like I'll need a Help section with "how to change your google association with my website? Click <here> to go to your gmail, then log out of your gmail, then get back here to sign out of my website, then sign back in and at that point change which google username you use.".......
Ian Davis  2010-08-18 04:43:43
(Cont'd)Oh well, was hoping for a reliable way to dissociate my website from their login so they could change which google account to use, to do all of that for them, but oh well.Thanks for all the answers and comments!
Ian Davis  2010-08-18 04:44:56

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?