In an Android application, I follow dev guides to sign-in, silentSignIn, and [signout] https://developers.google.com/identity/sign-in/android/disconnect a google account. Everything works fine for sign-in flows: after the first sign-in, the app can silentSignIn successfully and retrieve user account data.
My question raises after a successful signout: I expect silentSignIn should FAIL to require users sign-in manually again. I think that is what the dev guide in the above link meant in "...sign out of your app, and to disconnect their accounts from your app entirely". However, silentSignIn still succeeds and user account data (ex: email, profile data, etc.) can be retrieved as if the user never signs out. I am sure silentSignIn will fail after revoking access instead of signout, but then what signout is for.
Does anyone experience the same issue? Would anyone please share comments and experience on my concern? Thanks in advance.
public static GoogleSignInOptions getGSignInOptions(){
return new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_GAMES_SIGN_IN)
.requestScopes(new Scope(DriveScopes.DRIVE_APPDATA))
.requestEmail()
.requestProfile()
.build();
}
// below code is excerpted from an activity
protected void signInSilently() {
Log.d(TAG, "signInSilently");
try {
GoogleSignInClient gClient = GoogleSignIn.getClient(this, getGSignInOptions());
gClient.silentSignIn().addOnCompleteListener(this,
task -> {
if (task.isSuccessful()) {
mGAccount = task.getResult();
Log.d(TAG, "signInSilently: success on " + mGAccount == null ? "" : mGAccount.getEmail());
}
});
} catch (Exception ex){
Log.e(TAG, "signInSilently: " + ex.getMessage());
handleSignInException(ex);
}
}
protected void signOut() {
Log.d(TAG, "signOut");
GoogleSignInClient gClient = GoogleSignIn.getClient(this, getGSignInOptions());
gClient.signOut().addOnCompleteListener(this,
task -> {
if (task.isSuccessful()) {
mGAccount = null;
Log.d(TAG, "signOut: success");
} else {
handleException(task.getException(), "signOut: failed!");
}
});
}
I saw a similar question on Google OAuth for web and a reasonable answer on its signout behavior from the same site and Google docs for developers: signout is designed for users to sign out of your app without signing out of Google.
Thus, apps should not call sign-in, even silentSignIn, at every launch. Instead, apps should call GoogleSignIn.getLastSignedInAccount to check if the user has signed in successfully previously. If there is no prior signin account or the returned account was granted insufficient permissions on required scopes for the app, then it's time for silentSignIn to be tried.
So it's time to close my own question: what signout is for? After a successful signout, GoogleSignIn.getLastSignedInAccount return null and the app can fall back to sign-in flows.