Logout doesn't really log-out, another person can see my details when they simply click Login With Google

[madukan]

Project runs successfully. I was able to login via Google OAuth2. However, logout doesn't really log-out the user. Seems to just take you back to the login link. No authentication required afterwards, and can just click on the Login With Google link and get logged back in right-away.

Branch: v24 Latest commit I see:

$ git log

commit ce1d20b657fd00564db3732019866efc6e5d605b (HEAD -> v24, origin/v24, origin/HEAD)
Author: Vaadin Bot <vaadin-bot@users.noreply.github.com>
Date:   Tue Aug 15 08:17:30 2023 +0200

    chore: Update Vaadin 24.1.5 (#114)

[Legioth]

As a user of that kind of application, I would be very annoyed if I would be logged out from Google when I click the logout button in the application.

What's different the second time is that you no longer need to tell Google that you accept your authentication details being shared with the application, but that's not the same as logging in.

[madukan]

If it doesn't log you out from Google, essentially there is no need of a Logout button. When using SSO, logout is at the Provider level, not at the client.

Agree with your point there. But that's not the "Authentication", that's "Authorisation". Logout therefore needs to logout from everywhere. If to re-authenticated, credentials must be provided, either it be certificate, device, credentials, tokens, etc etc... whatever the user has agreed to.

[Legioth]

In that sense, you are right that "log out" is the wrong label. At the same time, I just tried a bunch of web apps that I happen to have nearby with SSO through Google and they all behave in exactly the way that "log out" just clears the session for that app whereas "log in" takes you to Google which lets you in again without providing credentials (since you only logged out from the app but not from Google). This seems to be a general convention and it's basically a tradeoff with using a generic SSO provider (aka "social login" even though Google SSO can also be used with corporate accounts).

I'm not sure exactly what we should change here other than to consider providing another example with e.g. Keycloak where it's more expected that you also log out from the SSO provider when you log out from the application.

[madukan]

Now that's the magic right, Google gets to decide whether to keep logged in, now that doesn't happen in this branch. Agree?

To confirm the expected behaviour: 1) I just now with YouTube, and Gmail and with my Google Account: logged into Google account, navigated to YouTube, selected my profile, and now I see my YouTube videos. 2) Next, I browsed into Gmail URL, in the same session/browser/tab, I selected my email address, I'm inside my mailbox. 3) Now I go back to YouTube, logout from there 4) Go back to Gmail, and here's what I observed: I am logged out from Gmail as well!

This is the correct behaviour, I logout from my account meaning, on that device I should be logged out from that account. Because the session is managed at the Provider level, otherwise the logout (locking back the sensitive information of the user), doesn't work. In other words, from that browser, there is no access to the rest of the services too. Otherwise it is a security loophole.

[Legioth]

YouTube is special since it's an integrated part of Google's own services.

A more relevant comparison is a 3rd party application such as https://trello.com/.

[madukan]

Right. Trello/Miro has a different model. I see your point. Perhaps they don't use the backchannel logout? (Because perhaps the spec says it is optional?)