No prompt for re-authentication with OAUth2. Why and how to force it?

Question

I would like to understand something please. I have an application based on oAuth2 with Google Accounts.

So, teh first time I connect to this website, I am redirecte

Answer 1

It's hard to say, since it depends on what the flow was that as being executed.

Generally (with oauth) you weren't being prompted for authentication. You were being prompted for authorisation. Once you've authorised, you won't be prompted again, provided of course that the browser/google have some sort of session in existence which identifies the user.

When you say "delete my cookie", which cookie?

Yo can try going to this page https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en_GB and revoke the permission. That should then cause a repeat prompt.

Answer 2

You can actually force re-authentication in the Google OAuth api by passing &max_auth_age=0 to the auth URL.

Source:

Use the PAPE extension for further control of user authentication (optional) Use the max_auth_age parameter in the PAPE extension to ensure that the login session of the user at Google is recent. You may also specify max_auth_age=0 to force a password reprompt.

https://developers.google.com/accounts/docs/OpenID

It's a bit confusing because they talk about OpenID, but I'm doing this successfully with Google's provided OAuth2 libs.

Answer 3

The Google OAuth 2 API really doesn't give you a way to force re-authentication. Lots of people have asked for this capability though, and maybe we should provide it.