We are trying to use Google's OpenID Connect for a business web app but are concerned that the user will leave the app open and an unauthorized user will sign-in because the user is still signed into Google so OpenID Connect just let's them right in.
We've tried using This has been replaced by max_auth_age=0 parameter.max_age in OpenID Connect.
I do see that Google App's control panel at admin.google.com does usually re-prompt the user for a password while any other login won't. But looking at the authorization URL I don't see anything that would be triggering this to happen.
Here is our current authorization URL:
https://accounts.google.com/o/oauth2/auth?prompt=select_account&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww....com%2Fauth%2Fuserinfo.profile&state=%2F&redirect_uri=https://www.foo.com/callback&response_type=token&client_id=...
Perhaps if we added a certain scope that could trigger Google to go into high security mode, but I haven't found anything so far.
There's no way to control re-authentication as indicated in: Google OpenID Connect: Receiving a 500 error when supplying the "max_age" parameter to an authentication request nor step-up as recorded in: https://groups.google.com/forum/#!topic/google-federated-login-api/KT6pSp4VNaQ