I am only allowing users to log in with a certain domain name. This specific functionality works and is not the root of the problem. The problem is that users get stuck in a sort of negative feedback loop when they attempt to log in with an incorrect email address.
In reference to the picture above, a user (in a blank incognito page with no information) starts at step one. Clicking login brings them to step two and then to step 3. Attempting to log in with an email address ending with an incorrect domain brings them to step 4. This is desired.
After step four, if they log out of the website, they are presented with step one. Which is desirable. The code for logging out is as follows.
app.get("/logout", function(req, res) {
req.logout()
req.session.destroy()
res.clearCookie("connect.sid")
res.redirect("/")
})
What happens after they click login again is what is undesirable. Instead of bringing them back to step 2 (desired, so they can log in again with their CORRECT email address), it brings them straight to step four. It is as if Google is remembering who logged in last.
Here is the code for my passport.js configuration file.
Short Question: How can I signal to Google not to do this? Or trigger the browser to allow them to log in again? I am at a loss.
Extra Details: In the Oauth2.0 Documentation for Google, it mentions hd and realm, which can restrict logins to a certain domain. But I do not know how I would configure this in the PassportJS configuration file.
I am only allowing users to log in with a certain domain name. This specific functionality works and is not the root of the problem. The problem is that users get stuck in a sort of negative feedback loop when they attempt to log in with an incorrect email address.
In reference to the picture above, a user (in a blank incognito page with no information) starts at step one. Clicking login brings them to step two and then to step 3. Attempting to log in with an email address ending with an incorrect domain brings them to step 4. This is desired.
After step four, if they log out of the website, they are presented with step one. Which is desirable. The code for logging out is as follows.
app.get("/logout", function(req, res) {
req.logout()
req.session.destroy()
res.clearCookie("connect.sid")
res.redirect("/")
})
What happens after they click login again is what is undesirable. Instead of bringing them back to step 2 (desired, so they can log in again with their CORRECT email address), it brings them straight to step four. It is as if Google is remembering who logged in last.
Here is the code for my passport.js configuration file.
Short Question: How can I signal to Google not to do this? Or trigger the browser to allow them to log in again? I am at a loss.
Extra Details: In the Oauth2.0 Documentation for Google, it mentions hd and realm, which can restrict logins to a certain domain. But I do not know how I would configure this in the PassportJS configuration file.
Share Improve this question edited Jul 23, 2015 at 20:36 Connorelsea asked Jul 23, 2015 at 20:24 ConnorelseaConnorelsea 2,4587 gold badges29 silver badges51 bronze badges 12- Kinda feel like google shouldn't be not doing this. If the user is logged in, it shouldn't ask them to login again. The real problem here is that the email address you are getting back from the user isn't always the same, so if they change which account they're logged in under and go to your app, they'll be sent to step 4. Not entirely sure what to suggest. – Kevin B Commented Jul 23, 2015 at 20:36
- My code on github is linked in the question. Do you think you could take a look? I've been researching this for almost a week now and cannot figure this out. It seems as if, since the user has already authenticated and logged into Google, it is simply not asking them to log in again and is logging them in automatically when Google is asked for authentication. I don't know what to do in this situation. How would you design this system? – Connorelsea Commented Jul 23, 2015 at 20:39
- Like this has to be mon. What if a user in another app wanted to log out and then log back in with a different email, but still using Google authentication in the same browser. I do not know how to acplish this. – Connorelsea Commented Jul 23, 2015 at 20:40
- It's not going to be very mon, because it isn't mon to restrict access based on email address domain. – Kevin B Commented Jul 23, 2015 at 20:41
- 1 My 2¢ worth is that it's definitely a Google problem. Google needs to fix this in their own implementation. – brandonscript Commented Jul 23, 2015 at 21:13
2 Answers
Reset to default 17I think what you want is to prompt the user to select their account. Similar situation to a previous question which I answered. This way the users will clearly choose which account they wish to use, even if they have already signed in before.
Add the parameter prompt=select_account to your authorization request.
app.get(
"/auth/google",
passport.authenticate(
"google",
{
scope : ["profile", "email"],
prompt : "select_account" // Added here
}
)
)
This will cause the account chooser to always be shown, even if the user is only logged in to one account. Users will be able to select from their accounts, or add a new one.
For example: https://accounts.google./o/oauth2/auth?redirect_uri=https%3A%2F%2Fdevelopers.google.%2Foauthplayground&response_type=code&client_id=407408718192.apps.googleusercontent.&scope=profile+email&access_type=offline&prompt=select_account
Also, if you wish to restrict access based on a domain, and that domain is a Google Apps for Work domain, the most correct way to do this is to inspect the hd param in the ID Token. How to process the ID Token, and extract the hd claim.
You can revoke the token on your end if you're not satisfied with the email used. You have to make one additional request to revoke the access token for that account to your OAuth app.
In your route callback execute this code (example using the request module):
request.get('https://accounts.google./o/oauth2/revoke', {
qs:{token:'[ACCESS or REFRESH TOKEN]'}
}, function (err, res, body) {
})
After that the user will be prompted again on subsequent login attempt.
Take a look at @William Denniss's answer as well, if you want to be prompted each time for a user login.