Force google account chooser

Question

Is there is a way I can force the google account chooser to appear even if the user is logged in just with one account.

I have tried by redirecting to this URL:

https://accounts.google.com/AccountChooser?service=lso&continue=[authorizeurl]

and it seems to work, but I don't know if there are any other conditions in which it might fail.

enter image description here

score 108 · Accepted Answer · edited May 05 '18 at 16:00

108

The following parameter is supported in OAuth2 authorization URLs:

prompt

Currently it can have values none, select_account, and consent.

none: Will cause Google to not show any UI, and therefore fail if user needs to login, or select an account in case of multi-login, or consent if first approval. It can be run in an invisible i-frame to obtain a token from previously authorized users before you decide, for instance, to render an authorization button.
consent: Will force the approval page to be displayed even if the user has previously authorized your application. May be useful in a few corner cases, for instance if you lost the refresh_token for the user, as Google only issues refresh_tokens on explicit consent action.
select_account: Will cause the account selector to display, even if there's a single logged-in user, just as you asked.

select_account can be combined with consent, as in:

prompt=select_account consent

edited May 05 '18 at 16:00

Daniel Rearden

80,636
11
185
183

answered Jan 18 '13 at 06:24

breno

3,226
1
22
13

3

Is 'approval_prompt=force' the same than 'prompt=consent'? Thanks – José F. Romaniello Jan 18 '13 at 11:28
3

Yes, but unlike prompt=consent it can't be combined with the option for 'select_account'. Use 'prompt' instead if writing new code now. – breno Jan 23 '13 at 07:12
1

Is there a way to force login with gmail accounts (like hd=gmail.com)? – woloski Jan 25 '13 at 07:15
1

@woloski, yes, hd=default should restrict to gmail accounts – Ari Porad Aug 29 '13 at 02:36
I get select_account screen but it has no remove button. How do i remove an account if i have to ? – vashishatashu Oct 16 '14 at 06:14
Google Documentation and Options/Parameters https://developers.google.com/accounts/docs/OAuth2WebServer#formingtheurl – CTS_AE Nov 15 '14 at 21:12
6

prompt=select_account+consent does not work, you'll want to use prompt=select_account consent ------ docs: https://developers.google.com/accounts/docs/OpenIDConnect – Brett C Feb 13 '15 at 21:46
`select_account+consent` is probably the URL encoded value. I think the answer should show a space delimited string instead, as documented. – Rafa Viotti Mar 14 '16 at 23:01
If you are following the latest tutorial at https://developers.google.com/identity/sign-in/web/sign-in#specify_your_apps_client_id you can also add it to your button generation div.
– AdamG Mar 27 '16 at 00:53
This does NOT require the user to authenticate again. There is no password prompt and any person can click on the user account and authorize. How the hell is this secure on a public computer? Can anyone please tell me how I force the user to submit his password again when signing in after he signed out? – Hugo Cox Jun 09 '18 at 13:30
@HugoCox Well, oauth2 is not about authentication, it's about authorization. You have no way to force google to require their users to login again. You can only require users to consent, or choose account. It's on Google to require authentication if user is not authenticated, you can only control authorization since your client is relying party not token issuer. Hope it clears it a little bit. – bigkahunaburger Jun 29 '19 at 11:36
here is link to see the full api, for javascript: https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow – Snedden27 Mar 21 '20 at 17:08

score 13 · Answer 2 · answered Aug 22 '16 at 13:10

13

Also, you can add "prompt" parameter in HTML tags as data-prompt="select_account":

<div class="g-signin2" data-onsuccess="onSignIn" data-prompt="select_account">

and it will force account chooser every time, even if you are logged in with only one account

answered Aug 22 '16 at 13:10

Josip Lukacevic

300
3
8

Not working for me, `
` but onSignIn still called every time – Benjamin Poignant Mar 06 '18 at 15:19
@BenjaminPoignant Your problem (success handler instantly called on page load) is slightly different to the one this question is about (although your confusion is understandable). As https://stackoverflow.com/a/15503280/1709587 notes, you need to use `gapi.auth2.getAuthInstance().signOut();` to sign the user out of your app. *This* question is about how, having done that, to ensure that when the user clicks the login button again they get a chance to choose which Google account to sign in as, rather than instantly using their current Google account as soon as the sign-in button is clicked. – Mark Amery Nov 30 '18 at 16:17

score 13 · Answer 3 · answered Mar 29 '18 at 14:56

Some people may end up here looking for an answer about how to do this in Microsoft.AspNetCore.Authentication.

We were able to accomplish it via the following code in the Startup.ConfigureServices method:

services.AddAuthentication()
  .AddGoogle(options =>
  {
      options.ClientId = configHelper.GoogleOAuthClientID;
      options.ClientSecret = configHelper.GoogleOAuthSecret;
      options.CallbackPath = "/signin-google";
      options.AuthorizationEndpoint = string.Concat(options.AuthorizationEndpoint, "?prompt=select_account");
  });

score 3 · Answer 4 · answered Mar 29 '19 at 06:19

If you are using gapi than just add prompt: 'select_account'
Example:

gapi.load('auth2', function () {
            gapi.auth2.init({
                client_id: "client_id.apps.googleusercontent.com",
                scope: "profile email", // this isn't required
                ux_mode: 'redirect',
                redirect_uri: 'https://www.example.com',
                prompt: 'select_account'
            }).then(function (auth2) {
                console.log("signed in: " + auth2.isSignedIn.get());
                x = auth2.isSignedIn.get();
                auth2.isSignedIn.listen(onSignIn);
                var button = document.querySelector('#signInButton');
                button.addEventListener('click', function () {
                    auth2.signIn();
                });
            });
        });

score 3 · Answer 5 · answered Jun 18 '19 at 09:21

3

For google api php client (https://github.com/google/google-api-php-client) you manage to do that as following:

$client = new Google_Client();
$client->setApprovalPrompt("force");
$client->createAuthUrl();

answered Jun 18 '19 at 09:21

saimcan

1,706
7
32
64

Force google account chooser

5 Answers5

Linked

Related