Which sign in Chrome? To Chrome of Firebase?

Question

I want to use Google Pay in a Firebase web app. The user signs in to a Google account in the app. I have tested the example code from Google Developers for this. It seems to work fine.

Except when I sign out from the Firebase app. Then the Google Pay code still seems to work. Obviously now using the account I have signed in to Google Chrome with.

So I do not know for sure which user Google Pay sees. I can test a bit, but I need to be sure. How is this supposed to work? Where is it documented?

Answer 1

It doesn't matter how the web application is hosted (Firebase or otherwise), Google Pay will launch in the context of the currently logged in Google user.

One way to verify is to visit https://pay.google.com/. It will show you payment details of the currently logged in user.

---

EDIT: Responding with clarifications (apologies for the length)

I want to use Google Pay in a Firebase web app.

Assume that I in this case is you the developer.

Except when I sign out from the Firebase app.

Assume that I in this case is you the user, signing out of the web application and not the Firebase console.

The user signs in to a Google account in the app.

The web app uses a Google identity to authenticate the user - correct?

It seems to work fine.

Except when I sign out from the Firebase app. Then the Google Pay code still seems to work.

Is the scenario that you are describing the following?

1. User is not logged into Google
2. User signs into web app with Google identity and is presented to Google login screen
3. User clicks on Google Pay button from within the app - everything works as expected
4. User signs out of the web app
5. User returns to the web app after signing out of the web app?
6. User clicks on Google Pay button from within the web app as an anonymous user (from the web application's perspective) - which brings up the Google user's payment details and this is not what you expected

If so, then:

• Step 2: two things happen
  • Google sets a cookie to maintain keep track of the user's identity
  • Google returns an auth token to your app, your app will generally use this to maintain session state using the auth token
• Step 3: using the cookie that was set in step 2, Google present relevant payment methods
• Step 4: signing out of the web application should clean up the user's web application session state, but it wouldn't sign the user out of Google
• Step 6: because the Google cookie is still present, Google Pay continues to present the user's payment details

From my perspective, this is working as intended.

The web application's session is separate from the Google session, think of it as the web application using Google to bootstrap its own session. Once bootstrapped, they are disconnected from one another.

The user could sign out of Google after bootstrapping and that shouldn't affect the web application. If the user logs into Google as different user, they will receive a different Google Pay profile, and they should be able to fulfill payment with the second Google identity's details despite signing into the web application as the first Google identity.

You should be able to verify this behavior by visiting https://pay.google.com/ after signing out of the web app, then again after signing out of Google, and then signing in again with a different identity.