No subject

Wed Apr 8 00:30:30 UTC 2009

ngle Sign Out behavior, where the RP's authentication session appears to be=
 tied to the user's Facebook browser session. Aparently, logging out of eit=
her FB or any RP will log the user out of all sites.


Luke Shepard wrote:
Re: [OpenID]  What about Logout

I think it would be relatively easy to add to the next spec. We could add a=
n additional mode or two - say, "logout_setup" or "logout_immediate". They =
would be behave the same as checkid_immediate and checkid_setup, except in =
reverse - the RP must supply the correct user credentials, and the OP can t=
hen log them out and return only "success" or "failure".

Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<TITLE>Re: [OpenID] What about Logout?</TITLE>
<FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE=3D'font-size:=
11pt'>Certainly, there are definitely RPs and OPs that won&#8217;t want to =
support this. That&#8217;s okay- it should be an optional feature.<BR>
Consider checkid_immediate, which lets an OP tell an RP silently that the u=
ser is logged in. There are OPs that may choose not to reveal this informat=
ion, and always return negative. That&#8217;s fine.<BR>
Similarly, if we added a logout_immediate mode, then there are OPs that may=
 choose not to support it. That&#8217;s fine too. Even with Facebook Connec=
t we don&#8217;t log out immediately &#8211; first we show the user a notic=
e that they are being logged out, which hangs for about 2 seconds. We imple=
mented it that way after extensively user testing several other options.<BR=
The spec should support the most common use cases, even if they aren&#8217;=
t the right thing for everyone. This is clearly a use case that shows up in=
 the wild, so it should be part of the spec for federated identity.<BR>
On 4/8/09 11:52 AM, &quot;Allen Tom&quot; &lt;<a href=3D"atom at
">atom at</a>&gt; wrote:<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"=
><SPAN STYLE=3D'font-size:11pt'>Should RPs also support a logout request fr=
om the OP?<BR>
For instance, if the user is signed into RP1 and RP2, and RP1 sends a logou=
t request to the OP, should the OP then notify RP2 that the user has logged=
This gets really messy. As Peter mentioned, some RPs may insist that their =
authentication sessions are independent of other RPs that the user may be c=
urrently signed into.<BR>
I believe that Google has mentioned that Single Sign Out is very undesirabl=
e for their business customers.<BR>

More information about the general mailing list