How to kill a Google OAuth session (via Firebase) in an Ionic 2 app?

nunoarruda · March 24, 2016, 9:25am

My Ionic 2 app as Google Authentication via Firebase and I have a logout button in the app calling the Firebase unauth() method but that only unauthenticates the Firebase reference and does not kill the Google OAuth session.

After pressing the logout button and pressing the login button again the user is automatically logged in (using the previous OAuth session) and I don’t want that.

I need my logout button to also kill the Google OAuth session so when the login button is pressed again it prompts for the username and password once more. How can I achieve that?

Here’s my code:

home.ts

import {Page} from 'ionic-angular';

@Page({
  templateUrl: 'build/pages/home/home.html'
})
export class HomePage {
    firebaseUrl: string;
    ref: Firebase;
    
    constructor() {
        this.firebaseUrl = 'https://xxx.firebaseio.com';
        this.ref = new Firebase(this.firebaseUrl);
    }
    
    login() {
        this.ref.authWithOAuthPopup("google", (error, authData) => {
            if (error) {
                console.log("Login Failed!", error);
            } else {
                console.log("Authenticated successfully with payload:", authData);
            }
        });
    }
    
    logout() {
        this.ref.unauth();
        console.log('Logout button clicked');
    }
    
}

home.html

<ion-navbar *navbar>
  <ion-title>
    Home
  </ion-title>
</ion-navbar>

<ion-content class="home">
  <button (click)="login()">Sign in with Google</button>
  <button (click)="logout()">Logout</button>
</ion-content>

This question is also on Stack Overflow.

ondonda · March 24, 2016, 9:33am

did you try to add remember: “sessionOnly”, ?
https://www.firebase.com/docs/web/guide/login/google.html please see Optional Settings part maybe that’s what you are looking for

nunoarruda · March 24, 2016, 9:53am

The remember setting limits the persistence of the session by the default value (set in Firebase dashboard), window or page which is not useful in this particular case.

iignatov · March 24, 2016, 1:50pm

You cannot achieve this with Firebase. The unauth() method clears only the Firebase authentication data. It works this way by design, i.e. this is the expected behavior:

The authentication flow is intended to be as frictionless as possible, and it is completely normal that the session with the OAuth provider remains active despite the unauth from Firebase.

This means that you have to implement your own logout and clean-up functionality, e.g. redirect to a logout page or automatically invoke the logout URL or remove the stored cookies (details) or revoke the access token, etc…

Otherwise you can check alternatives as Ionic Platform Auth or Auth0 (I don’t know if they provide such functionality though).

nunoarruda · March 30, 2016, 9:47am

The only working solution I’ve found was to make a JSONP asynchronous request to https://accounts.google.com/logout

This is a “dirty” trick and spits errors to the console but couldn’t find any other working solution. Let me know if someone knows a better way.