Same account selected in Google Idp after logging out

[jaywood128]

Same account selected in Google Idp after logging out

Problem

1. A user clicks the Login with Google button to initiate auth using FusionAuth's Google Idp.
2. They are prompted to select one of their accounts, as documented here: https://fusionauth.io/docs/v1/tech/identity-providers/google#custom-parameters
3. They log out of the FusionAuth application.
4. When logging in with Google again, the previous account selected on the first login is automatically selected. This is possibly related to the fact that logging out of FusionAuth does not end the Google session.

Solution

Ideally, the user should be able to select which of their Google accounts each time they log in.

Alternatives/workarounds

After logging out of the FusionAuth application make an additional call to https://accounts.google.com/logout. re: https://stackoverflow.com/questions/58154256/aws-cognito-how-to-force-select-account-when-signing-in-with-google

You can also use the OIDC provider and pass the prompt=select_account paramater. More here: https://fusionauth.io/docs/v1/tech/identity-providers/google#custom-parameters

Related issues:

• Multi-user SSO account select
• Extend Google IdP to allow for parameters on the authorize URL

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[theogravity]

You do not want to do a call to https://accounts.google.com/logout because it will sign you out of all your google accounts, meaning you have to sign in again. While this is technically a solution as it will show the account selector, it adds more friction as the user now has to sign back into their google accounts.

[anbado]

I am using a different OIDC IdP wso2 and I am running into the same issue, are there any updates on this? as a workaround could we manually remove something from the local/browser storage to invalidate the IdP session as well?

[theogravity]

You'll probably have to use the custom provider. For example, we removed the Google IdP integration and added a custom OpenID Connect one, with the following values to get Google account switching working:

• Authorization endpoint: https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&prompt=select_account
• Token endpoint: https://oauth2.googleapis.com/token
• Userinfo endpoint: https://openidconnect.googleapis.com/v1/userinfo
• Scope: openid email profile

Then under Options:

• Unique Id claim: sub
• Email claim: email
• Email verified claim: email_verified
• Username claim: preferred_username

Then you want to create an OpenID Connect reconcile lambda for the provider, this is for google:

function reconcile(user, registration, jwt, idToken, tokens) { user.firstName = jwt.given_name; user.lastName = jwt.family_name; user.fullName = jwt.name; user.imageUrl = jwt.picture; }

[mooreds]

Depending on the remote IDP, you can also use a post_logout_redirect_uri to send the user to an IDP logout URL after they have logged out of FusionAuth.

[anbado]

You'll probably have to use the custom provider. For example, we removed the Google IdP integration and added a custom OpenID Connect one, with the following values to get Google account switching working:

• Authorization endpoint: https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&prompt=select_account
• Token endpoint: https://oauth2.googleapis.com/token
• Userinfo endpoint: https://openidconnect.googleapis.com/v1/userinfo
• Scope: openid email profile

Then under Options:

• Unique Id claim: sub
• Email claim: email
• Email verified claim: email_verified
• Username claim: preferred_username

Then you want to create an OpenID Connect reconcile lambda for the provider, this is for google:

function reconcile(user, registration, jwt, idToken, tokens) { user.firstName = jwt.given_name; user.lastName = jwt.family_name; user.fullName = jwt.name; user.imageUrl = jwt.picture; }

Thank you for the answer, I am using a custom IdP (https://is.docs.wso2.com/en/latest/) set up as OpenID Connect one and unfortunately they don't support this query param &prompt=select_account to be able to trigger the multi-account select screen, therefore it's using the session already stored in the browser when I try to log out and log back in FusionAuth Using the logout from IdP approach is still taken into consideration, but considering implications I'd like to see if there are other options.