No reauthentication with OAUth2 is required. Why and how to make him?

Question

No reauthentication with OAUth2 is required. Why and how to make him?

I would like to understand something. I have an oAuth2 based application with google accounts.

So, when I first connected to this website, I was redirected to the authentication page in the Google domain. Therefore, I type in my email address and password, and I do not check the “trusted computer” (or “remember me”, I do not remember the exact term).

The fact is that if I restart my computer or even delete my cookie (but not my history (tested with Chrome on an Android phone), I do not request authentication again, and I have direct access to the application.

I would like to understand why? If anyone can explain this to me, this should be great!

thanks

+4

google-oauth

user2882219 Oct 15 '13 at 11:04

source share

3 answers

asuth · Answer 1 · 2013-10-28T01:14:46+0000

In fact, you can force authentication to the Google OAuth api by passing the &max_auth_age=0auth URL.

Source:

Use the PAPE extension to further control user authentication (optional) Use the max_auth_age parameter in the PAPE extension to ensure that the user’s last login with Google is the last. You can also specify max_auth_age = 0 to force the password.

https://developers.google.com/accounts/docs/OpenID

This is a little confusing because they talk about OpenID, but I do it successfully with the OAuth2 libs provided by Google.

Tim Bray · Answer 2 · 2013-10-16T02:56:45+0000

API Google OAuth 2 . , , , .

pinoyyid · Answer 3 · 2013-10-15T18:04:52+0000

, , , .

( oauth) . . , , , , /google - , .

" cookie", cookie?

You can try going to this page https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en_GB and revoke the permission. This will then result in a second request.

No reauthentication with OAUth2 is required. Why and how to make him?

More articles: