Prevent Firebase auth from remembering Google account?

Question

So I'm using Firebase-UI to authenticate and sign in users, I need to use the account chooser in order for them to sign in to a different Google account (not using the account chooser results in it auto-signing them in), however, I want to either prevent it from displaying + saving accounts, or remove them on sign out.

And this is the Firebase-UI web I'm using: Firebase UI web

This isn't a huge issue when the application is running on a user's machine, however, it will also be running on a public machine with many users signing in an out, and we can't have them saved as an easy one-click sign in. The biggest security issue is the fact that I can also log into their emails once they've authenticated with Google. We want it to forget them once they sign out.

My sign-in flow:

     <script type="text/javascript">
            // FirebaseUI config.
            var uiConfig = {
                callbacks: {
                    signInSuccess: function (user, credential, redirectUrl) {
                        var userSignIn = {
                            displayName: user.displayName,
                            email: user.email,
                            emailVerified: user.emailVerified,
                            photoURL: user.photoURL,
                            uid: user.uid,
                            phoneNumber: user.phoneNumber
                        };
                        /* POST signed in user to Login Controller*/
                        var csrfToken = $('input[name="csrfToken"]').attr('value');
                        $.ajaxSetup({
                            beforeSend: function(xhr) {
                                xhr.setRequestHeader('Csrf-Token', csrfToken);
                            }
                        });
                        $.ajax({
                           url: '/signedIn',
                           type: 'POST',
                           data: JSON.stringify(userSignIn),
                           contentType: 'application/json',
                           error: function(err) {
                               console.log(err);
                           }
                        });
                        return true;
                    }
                },
                signInSuccessUrl: '/Dashboard',
                signInOptions: [{
                    provider: firebase.auth.GoogleAuthProvider.PROVIDER_ID,
                    scopes: ['https://www.googleapis.com/auth/calendar']
                }],
                // Terms of service url.
                tosUrl: '/Terms'
            };

            // Initialize the FirebaseUI Widget using FirestoreDB.
            var ui = new firebaseui.auth.AuthUI(firebase.auth());
            // The start method will wait until the DOM is loaded.
            ui.start('#firebaseui-auth-container', uiConfig);
    </script>

Sign-out flow:

initApp = function () {
firebase.auth().onAuthStateChanged(function (user) {
    if (user) {
        // User is signed in.
        if (window.location.pathname === "/Login" || window.location.pathname === "/") {
            window.location.href = '/Dashboard';
        }
        $('#sign-out').show();
    } else {
        // User is signed out.
        $('#sign-out').hide();
        disableLinks();
        switch(window.location.pathname){
            case "/Login":
            case "/Terms":
            case "/Help":
                break;
            default:
                window.location.href = '/Login';
        }
    }
}, function (error) {
    console.log(error);
});
};

window.addEventListener('load', function () {
initApp();
document.getElementById('sign-out').addEventListener('click', function () {
    firebase.auth().signOut().then(function() {
        sessionStorage.clear();
        localStorage.clear();
        window.location = "/Logout";
    }).catch(function(error) {
        console.log(error);
        });
    });
  });

It is possible to do some customization to the Google Sign-In if you [handle some of the steps manually](https://firebase.google.com/docs/auth/web/google-signin#advanced-handle-the-sign-in-flow-manually). You may not be able to get the user's account removed from the sign-in list (that's what features like Chrome's [guest mode](https://support.google.com/chrome/answer/6130773?co=GENIE.Platform%3DDesktop&oco=1) are really for). But, you may be able to bake the SSO features into your app more tightly, thereby hopefully making it more apparent to your users that they should remember to sign out. — HondaGuy, Nov 14 '17 at 21:19
on signout, delete the localStorage object that holds the account information — ASomN, Sep 24 '20 at 12:15

score 2 · Answer 1 · answered Nov 15 '17 at 07:09

2

On sign out from Firebase Auth, redirect to Google single sign out URL:

firebase.auth().signOut()
  .then(function() {
    window.location.assign('https://accounts.google.com/Logout');
  })
  .catch(function(error) {
    console.log(error);
  });

answered Nov 15 '17 at 07:09

bojeil

29,642
4
69
76

1

Here's a solution for getting user back to the url you want them to see after logout is complete: https://stackoverflow.com/a/31093843/2162226 – Gene Bo Jun 27 '18 at 20:57

Prevent Firebase auth from remembering Google account?

1 Answers1