I've implemented Google OAuth2 on my PHP website, and login works fine. But after logging out, users no longer need to enter the password for their Google account; they can just click their Google account on the list that comes up, and they're back in. Isn't that a security risk?
This is a basic PHP 7.4 setup with google-api-php-client version 2.2.2.
I log out users with
unset($_SESSION["access_token"]);
$gClient->revokeToken();
session_destroy();
since I store the access token in a session variable.
I would expect the login process - enter google acount name - next - enter password - next - to be the same whether you log in for the first time or for subsequent logins. But you're not promted for password after the first time.
I tried including a hidden iframe containing the google logout page, like so:
<iframe id="logoutframe" src="https://accounts.google.com/logout" style="display: none"></iframe>
but that logged me out entirely - also on other websites in other browser tabs, and I find that quite inconvenient.
You're already authenticated with Google, hence why you don't have to re-enter the password.
Forcing the logout - as you achieved with the iframe - caused you to log out of your Google account which led to the inconvenience you encountered.
Once your application is given access to your Google account, and you have an active Google authentication state, you won't be prompted for a password. This is how OAuth2 works and is by design.