Google Cloud Identity Aware Proxy (IAP) Force logout

Asked 16/11, 2017 at 12:34 Answered 1/12, 2022 at 12:4

I'm trying to work out how to logout a user which is using an application behind Google IAP

The end goal is to be able to bounce the user right back to the initial process they completed the first time they visited the site (i.e. they cannot access my application until they sign in again)

I've looked at the documentation and all I can see is the "Clearing user login" section of https://cloud.google.com/iap/docs/special-urls-howto

However, when the user is redirected to /_gcp_iap/clear_login_cookie this sets the GCP_IAAP_AUTH_TOKEN cookie to none and then redirects the user to the root of my application. The request to / then in turn redirects the user to https://accounts.google.com/o/oauth2/v2/auth (inc. many get params), which then in turn redirects the user to /_gcp_gatekeeper/authenticate, which then sets the GCP_IAAP_AUTH_TOKEN cookie again and finally delivers the user back to my application (now logged back in as if nothing happened)

Could the issue here be that the user is still logged into other google account applications? (e.g. google cloud console, gmail etc)

I wondered if I could perhaps send the GCP_IAAP_AUTH_TOKEN cookie value to https://accounts.google.com/o/oauth2/revoke?token=token, however this appears to be stripped by the IAP load balancer

Any and all assistance appreciated on this one.

Ddene answered 16/11, 2017 at 12:34 Comment(1)

Hey @Ddene are there any work around you did? – Polyphony 27/2, 2018 at 15:12

What you're seeing is that clear_login_cookie clears the IAP login cookie, but it isn't intended to do anything about the fact that the user is still logged into Google.

We do have a change rolling out soon that will force the user back to the account-select screen after clear_login_cookie. You can preview what this will look like by going to https://myaccount.google.com/permissions and clicking on your application in that list, selecting "Remove Access", and then visiting clear_login_cookie.

I'm not sure whether that's what you're looking for, though. Could you tell me more about what your goal is?

--Matthew, Google Cloud IAP

Stringed answered 18/11, 2017 at 7:20 Comment(8)

The change you describe above sounds like what I need, do you have any rough timeframes for its deployment? We're using IAP to provide a 2FA capable authentication layer over the top of an existing web application. One of the required features is the ability for the user to logout of the application and only to be able to access it again once they have re-authenticated (i.e. manually entered authentication factors such as password) Many thanks – Ddene 20/11, 2017 at 9:49

Additionally, if I’m looking at this correctly the only way to "logout" the user as required above is to revoke the Google OAuth token issued the first time the user logs in to the application, a token which is currently stripped by the IAP load balancer. In such case, I appreciate any and all help as my hands are rather tied! (My apologies if you received a few notifications for this post, I had a small argument with the Stackoverflow comment editor) – Ddene 20/11, 2017 at 9:50

Ok, I understand the use case now. Indeed, clear_login_cookie won't help. "Token revoke" won't help either, the credential in the IAP cookie is an OpenID Connect token, not an OAuth token. We statically validate that token using the signature, so there's no way to revoke it. (More in follow-up comment.) – Stringed 21/11, 2017 at 18:1

One common way to handle this is something called "reauthentication" or "user presence test". The general idea behind that is that if reauth is turned on for an application, there's an extra step that needs to happen e.g. re-validate password and/or 2nd factor, before granting application access (even if the user is still logged in via the identity provider.) If you'd like to file a feature request at issuetracker.google.com/issues/… that would be helpful. Thanks! – Stringed 21/11, 2017 at 18:3

@MatthewSachs reauthentication - any documentation for this? – Polyphony 8/2, 2018 at 19:0

Hi @Pasupathi, this is still an open feature request. issuetracker.google.com/issues/69698275 is tracking it. – Stringed 1/3, 2018 at 19:38

@MatthewSachs why was this marked Won't Fix (Obsolete)? – Cantrell 9/2, 2022 at 15:14

Sorry, I'm not sure. I'm no longer at Google or involved with IAP. – Stringed 10/2, 2022 at 17:19

I know it's been a while, but maybe it could help somebody in the future: We had similar issue where we wanted to implement basically 'account switching' - so when the user clicks 'sign out' we don't want to sign that person automatically back in and just show the available providers. This kinda sounds like your 'initial state' you're talking about.

So after much looking, I've found this resource https://cloud.google.com/iap/docs/external-identity-sessions#signing_users_out

It describes usage of ?gcp-iap-mode=GCIP_SIGNOUT query parameter to log out of IAP and it has resolved our issue.

Pulitzer answered 1/12, 2022 at 12:4 Comment(1)

I believe this is only for "external identities" not Google accounts – Cantrell 27/1, 2023 at 15:47

Recommended topics

Hot tags