signOut doesn't work with authorize() without id_token

[wonderfly]

From g...@writerduet.com on September 20, 2014 20:15:35

What steps will reproduce the problem? If possible, provide a live demo of the issue. 1. Go to https://writerduet.com and open debugger console
2. Run the following code:
gapi.auth.authorize({ 'client_id': CLIENT_ID, 'scope': SCOPES, 'immediate': false, cookie_policy: 'single_host_origin'}, function (authResult) {
gapi.auth.signOut();
setTimeout(function() {
gapi.auth.authorize({ 'client_id': CLIENT_ID, 'scope': SCOPES, 'immediate': true, cookie_policy: 'single_host_origin'}, function (authResult) {
if (authResult && !authResult.error)
alert("Wrong! Still signed in");
else
alert("Correct! Signed out");
})
}, 5000);
});

1. Sign into a google account and wait 5 seconds. What is the expected output? What do you see instead? You should see the alert "Correct! Signed out" but instead see "Wrong! Still signed in" - this means that signOut() isn't working! What version of the product are you using? On what operating system? Client library here: https://apis.google.com/js/client.js Tested on OSX 10.9.4, Chrome and Firefox Please provide any additional information below. I debugged the compressed JS code and found that the signOut() function isn't doing anything. The problem is that this function is returning null, because a.id_token doesn't exist:

Vv = function(a) {
a = a && a.id_token;
if (!a || !a.split(".")[1])
return null;
a = (a.split(".")[1] + "...").replace(/^((....)+).?.?.?$/, "$1");
return .Qn(.sh(a, !0))
};

I assume the problem is that gapi.auth.getToken() is returning an object with no field id_token.

This used to work (I tested it a month or two ago), and I haven't changed my gapi code since. Seems crazy that this bug could exist, but signOut() clearly is not working in this case.

Original issue: http://code.google.com/p/google-api-javascript-client/issues/detail?id=162

[wonderfly]

From fa...@google.com on September 25, 2014 02:44:48

signOut() is only "guaranteed" to work with signIn(), since signIn() adds response_type: 'id_token'. Without this, no id_token is returned, so signOut() can't mark a particular user as signed out.

This modified snippet does work:
gapi.auth.authorize({ 'client_id': CLIENT_ID, 'scope': SCOPES, 'immediate': false, cookie_policy: 'single_host_origin', response_type: 'token id_token'}, function (authResult) {
gapi.auth.signOut();
setTimeout(function() {
gapi.auth.authorize({ 'client_id': CLIENT_ID, 'scope': SCOPES, 'immediate': true, cookie_policy: 'single_host_origin'}, function (authResult) {
if (authResult && !authResult.error)
alert("Wrong! Still signed in");
else
alert("Correct! Signed out");
})
}, 5000);
});

This is one consequence of using OAuth2 for "sign in" specifically. Arguably, better semantics for signOut() are to apply to a whole session rather than a user-session, which I'll discuss further internally.

It's curious that this ever worked though. Looking into whether anything has changed in terms of server responses.

[wonderfly]

From fa...@google.com on September 25, 2014 02:45:22

Summary: signOut doesn't work with authorize() without id_token (was: signOut stopped working!)

[wonderfly]

From g...@writerduet.com on September 25, 2014 12:27:44

Thanks for that explanation, but I just tried the code snippet you provided (in a new Chrome private browser session) and it still did the alert("Wrong..."). Are you seeing different behavior?