We've recently implemented Google Drive Picker functionality in our application. The api docs can be found at https://developers.google.com/picker/docs/
Our workflow is as follows
- User clicks "Import from Google Drive"
- We authenticate the user via gapi.auth.authorize and then open the picker.
- The user can select one of their files, which we then download.
The problem we're having is that the google api stores the token and related info in cookies on the client. If our user logs out of our application without logging out of google, then another user working on the same machine could log in to our app, click "Import from Google Drive" and be presented with the first user's private files. I don't have access to these cookies because they are owned by the google.com domain.
I realize that technically if the 1st user didn't log out of google, the 2nd user could just go to google.com and access of all their information, including their drive files, but something doesn't feel right to me about one of our users logging out of our app, and then another user getting access to their Google Drive files later on behalf of our application.
So I ask
- Is this just a side-effect of OAuth2.0 and I just have to live with it?
- or is there something I can do to control the token that is used by the picker, or revoke access when our users log out?
Side note: We're having a similar issue with Dropbox's chooser. It just uses their session with dropbox (doesn't use OAuth2.0). If the user logs out of our site without logging out of dropbox, the same thing happens. I contacted their support and they said the only thing I'd potentially be able to do is to redirect the user to https://www.dropbox.com/logout, which would log them out of dropbox completely. This isn't really ideal either...
Any thoughts would be appreciated.
Thanks!
-Adam
