It’s been 7 years since this was first requested, and mine will be the fifth post, but can you please build something in that ensures people are automatically logged out after an admin-configurable period of inactivity? (Bonus points if an admin can remotely force a user’s logout).
I’m no security expert, and I haven’t fact-checked ChatGPT, but apparently all the following certifications and/or standards require or expect this feature:
PCI, if touching cardholder data
HIPAA - US healthcare data
Australian digital health records
NIST SP 800-53 / 800-63
Australian Signals Directorate - for government data and implemented by many enterprises
SOC2, strongly implied
ISO/IEC 27001, annex A
Personally I don’t comprehend the people who’ve replied to earlier posts saying to manage this through automatically locking computer screens (It’s a web app - they could be accessing it from any computer in the world and you can’t control that), or training people to use WindowsKey+L - (Seriously? You’re recommending a process notoriously prone to human error over automating compliance with the above standards, certifications and guidelines?)
Given the rabbit warren that is Google permissions management, it’s pretty astounding that a full 7 years after this first being flagged, Google hasn’t picked this up and built a solution for AppSheet apps.
Having said all the above .. my test app uses Google as the identity provider. If I manually click the “log out” link on the app I am then taken to a screen asking me to sign back in with Google.
If I then click on Google, because of how Single Sign On works, I am signed back in … without asking me for any further authentication proof.
All this to say - what does it even mean to sign out of an individual app if your authorisation still persists via the identity provider’s session?
Maybe this is why AppSheet has never implemented a sign out option. The real sign out - from a “security perspective” (read: when a user clicks sign out they expect no-one else could access their account with that app again without providing authentication credentials again) is to sign fully out of Google (in this case) or whichever SSO identity provider is being used.
Your question reflects an incomplete understanding of how AppSheet works. You are never “signed-in” to the app; you’re signed-in to Google (or whatever identity provider), and allowed access to the app by merit of that identity. Auto-logout has to occur where the login occurred, which is the identity provider, not the app. You might–might!–be able to accomplish what you want if you provide your own OAuth identity service. Then you could affect login status however you want. But you may still run into problems because of identity caching and offline support.
Yep. Agree. Gaining that understanding yesterday led me down a rabbit hole of reading lots of information on how security of systems compares between using SSO and password vaults - not only for preventing initial access, but for damage control in the event the identity provider or vault account is compromised.
Additionally, with many standards mandating an actual sign-out whereby you cannot regain access to the account without signing back in, I feel that offering “log out” links is misleading to those who don’t understand what you’ve just explained. I cannot be the only one who didn’t fully comprehend this until faced with the scenario described yesterday. This, I feel, probably reduces the security of accounts. There must be people who click “log out” on shared computers thinking they’ve removed access to their accounts without understanding that if they authenticated with an identity provider that they haven’t actually ended that session.
I guess my question becomes more of a discussion on the relative merits of different approaches - and not so much a question about AppSheet specifically, anymore. If nothing else, I hope anyone else looking for an answer to the same initial question, can now get a bigger picture understanding too.
