Users can log into my site using Google Identity, via the Open ID protocol. However I'm not sure how to invalidate their session with google identity when they click log out. At the moment, I can invalidate their session cookies on my site, but if the user selects to log in with Google Identity again, it won't prompt them for credentials again, because they already logged in. Options I've tried to resolve this:
- The
end_session_endpointfrom the Session Management spec, but Google Identity doesn't implement that. - The
frontchannel_logout_urifrom the FrontChannel Logout spec, but Google Identity doesn't implement that either. - The
backchannel_logout_urifrom the BackChannel Logout spec, but Google Identity doesn't implement that either. - Hitting https://www.google.com/accounts/Logout in an iframe when the user logs out, but this terminates their Google login everywhere, not just my site.
Is there a supported way of invalidating Open ID sessions for Google Identity?