Social login keeps the provider app logged in

Question

1. I visit an app that uses oauth social login
2. I choose say gmail; I get sent to gmail site
3. I log in to gmail and then get sent back to the app
4. When done with the app I log out

After step 4, even if I close the browser and open anew, visiting gmail opens my account straight away without prompting for a password. Keep in mind, I never let browsers save my password neither do I ever tick “remember me”

I’m not sure the average user will remember to visit gmail separately to log out; this would be disastrous on a public computer.

My question:

Is this a design flaw of oauth2 or is it an implementation flaw with the app in step 1 or is it an implementation flaw with google-login? Or is it technically impossible for the app in step 1 to log out of the social identity provider (in which case it’s not a flaw at all.)

Answer 1

The OpenID Connect core spec and the session management spec defines ways to both:

• Sign the user out of an identity provider (link)

• And force user re-authentication with the OP after a maximum authentication age (max_age) has elapsed since last user authentication. (link)

  Trouble is I'm not sure if Google implement these things see this

I've tagged your question with OpenID Connect as authentication is not an OAuth2.0 concern.