How to Sign Out of Google After Being Authenticated

Why doesn't the user need to renter their password after signing out?

I wanted to give some clarity to why the user instantly signs back in and why some of these solutions don't work on iOS 13.

The following does in fact sign the user out of your app:

GIDSignIn.sharedInstance().signOut()

But it does not sign the user out from google in Safari itself!! Try this for yourself, sign into a google account in your app. Sign out from the app and then go to accounts.google.com in your Safari browser, the account will still be signed in! So the cookies are being shared with the default Safari browser but why?

After investigating a little bit I found this in the OIDExternalUserAgentiOS class that handles the actual interactive auth flow.

  // iOS 12 and later, use ASWebAuthenticationSession
  if (@available(iOS 12.0, *)) {
    // ASWebAuthenticationSession doesn't work with guided access (rdar://40809553)
    if (!UIAccessibilityIsGuidedAccessEnabled()) {
      __weak OIDExternalUserAgentIOS *weakSelf = self;
      NSString *redirectScheme = request.redirectScheme;
      ASWebAuthenticationSession *authenticationVC =
          [[ASWebAuthenticationSession alloc] initWithURL:requestURL
                                        callbackURLScheme:redirectScheme
                                        completionHandler:^(NSURL * _Nullable callbackURL,
                                                            NSError * _Nullable error) {
        __strong OIDExternalUserAgentIOS *strongSelf = weakSelf;
        if (!strongSelf) {
            return;
        }
        strongSelf->_webAuthenticationVC = nil;
        if (callbackURL) {
          [strongSelf->_session resumeExternalUserAgentFlowWithURL:callbackURL];
        } else {
          NSError *safariError =
              [OIDErrorUtilities errorWithCode:OIDErrorCodeUserCanceledAuthorizationFlow
                               underlyingError:error
                                   description:nil];
          [strongSelf->_session failExternalUserAgentFlowWithError:safariError];
        }
      }];
#if __IPHONE_OS_VERSION_MAX_ALLOWED >= 130000
      if (@available(iOS 13.0, *)) {
          authenticationVC.presentationContextProvider = self;
      }
#endif
      _webAuthenticationVC = authenticationVC;
      openedUserAgent = [authenticationVC start];
    }
  }
  // iOS 11, use SFAuthenticationSession
  if (@available(iOS 11.0, *)) {
    // SFAuthenticationSession doesn't work with guided access (rdar://40809553)
    if (!openedUserAgent && !UIAccessibilityIsGuidedAccessEnabled()) {
      __weak OIDExternalUserAgentIOS *weakSelf = self;
      NSString *redirectScheme = request.redirectScheme;
      SFAuthenticationSession *authenticationVC =
          [[SFAuthenticationSession alloc] initWithURL:requestURL
                                     callbackURLScheme:redirectScheme
                                     completionHandler:^(NSURL * _Nullable callbackURL,
                                                         NSError * _Nullable error) {
        __strong OIDExternalUserAgentIOS *strongSelf = weakSelf;
        if (!strongSelf) {
            return;
        }
        strongSelf->_authenticationVC = nil;
        if (callbackURL) {
          [strongSelf->_session resumeExternalUserAgentFlowWithURL:callbackURL];
        } else {
          NSError *safariError =
              [OIDErrorUtilities errorWithCode:OIDErrorCodeUserCanceledAuthorizationFlow
                               underlyingError:error
                                   description:@"User cancelled."];
          [strongSelf->_session failExternalUserAgentFlowWithError:safariError];
        }
      }];
      _authenticationVC = authenticationVC;
      openedUserAgent = [authenticationVC start];
    }
  }
  // iOS 9 and 10, use SFSafariViewController
  if (@available(iOS 9.0, *)) {
    if (!openedUserAgent && _presentingViewController) {
      SFSafariViewController *safariVC =
          [[SFSafariViewController alloc] initWithURL:requestURL];
      safariVC.delegate = self;
      _safariVC = safariVC;
      [_presentingViewController presentViewController:safariVC animated:YES completion:nil];
      openedUserAgent = YES;
    }
  }
  // iOS 8 and earlier, use mobile Safari
  if (!openedUserAgent){
    openedUserAgent = [[UIApplication sharedApplication] openURL:requestURL];
  }

If you are on iOS 12+ it uses ASWebAuthenticationService, which shares cookies with Safari by default! For iOS 11, 10, 9, 8 it's a similar situation with different execution methods. Also something interesting I found in Apple documentation here about SFSafariViewController:

In iOS 9 and 10, it [SFSafariViewController] shares cookies and other website data with Safari.

When the google sign in page appears, it shares cookies with Safari. This is why we aren't being signed out of google completely. In fact, this seems to be completely intentional.

How do we sign out the user?

This works for all iOS versions that GIDSignIn supports:

let url = URL(string: "https://accounts.google.com/Logout")!
UIApplication.shared.open(url, options: [:], completion: nil)

Unfortunately this redirects the user outside the app. But you can explain the necessity in an UIAlertController before calling open.


Swift

try GIDSignIn.sharedInstance().signOut()

objective - c

[[GIDSignIn sharedInstance] signOut];

Yes, like @Rahul said following code would be the right way of going about it.

GIDSignIn.sharedInstance().signOut()

https://developers.google.com/identity/sign-in/ios/sign-in?ver=swift#sign_out_the_user


Wanted to elaborate a bit on the previous answers after playing with the GoogleSignIn SDK.

I saw the signOut() and disconnect() methods and was wondering what the differences were.

signOut() is a synchronous call:

// Immediately sets GIDSignIn.sharedInstance()?.currentUser to nil. 
// For example, if the user is already signed in:

print(GIDSignIn.sharedInstance()?.currentUser != nil) // true - signed in
GIDSignIn.sharedInstance()?.signOut()
print(GIDSignIn.sharedInstance()?.currentUser != nil) // false - signed out

disconnect() allows a user to revoke access to the app in addition to logging out. I assume this means they'll need to re-grant any permissions to your app if they choose to log in again.

According to Google's Developer Docs if a user chooses to disconnect from your app, then you'll need to remove any of the user's Google data that has been stored in your app.

Also, disconnect() is asynchronous. The result of the disconnect call will be returned to the GIDSignInDelegate.sign(_:didDisconnectWith:withError:) method.

// Also sets GIDSignIn.sharedInstance()?.currentUser to nil. 
// Asynchronous call. If for example the user was already signed in:

print(GIDSignIn.sharedInstance()?.currentUser != nil) // true - signed in
GIDSignIn.sharedInstance()?.disconnect()
print(GIDSignIn.sharedInstance()?.currentUser != nil) // true - still signed in

// MARK: - GIDSignInDelegate
func sign(_ signIn: GIDSignIn!, didDisconnectWith user: GIDGoogleUser!, withError error: Error!) {
    print(GIDSignIn.sharedInstance()?.currentUser != nil) // false - signed out

    // Remove any data saved to your app obtained from Google's APIs for this user.
}