No subject
Wed Apr 8 00:30:30 UTC 2009
ngle Sign Out behavior, where the RP's authentication session appears to be=
tied to the user's Facebook browser session. Aparently, logging out of eit=
her FB or any RP will log the user out of all sites.
Allen
Luke Shepard wrote:
Re: [OpenID] What about Logout
I think it would be relatively easy to add to the next spec. We could add a=
n additional mode or two - say, "logout_setup" or "logout_immediate". They =
would be behave the same as checkid_immediate and checkid_setup, except in =
reverse - the RP must supply the correct user credentials, and the OP can t=
hen log them out and return only "success" or "failure".
--_000_C6024663297CAlshepardfacebookcom_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML>
<HEAD>
<TITLE>Re: [OpenID] What about Logout?</TITLE>
</HEAD>
<BODY>
<FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE=3D'font-size:=
11pt'>Certainly, there are definitely RPs and OPs that won’t want to =
support this. That’s okay- it should be an optional feature.<BR>
<BR>
Consider checkid_immediate, which lets an OP tell an RP silently that the u=
ser is logged in. There are OPs that may choose not to reveal this informat=
ion, and always return negative. That’s fine.<BR>
<BR>
Similarly, if we added a logout_immediate mode, then there are OPs that may=
choose not to support it. That’s fine too. Even with Facebook Connec=
t we don’t log out immediately – first we show the user a notic=
e that they are being logged out, which hangs for about 2 seconds. We imple=
mented it that way after extensively user testing several other options.<BR=
>
<BR>
The spec should support the most common use cases, even if they aren’=
t the right thing for everyone. This is clearly a use case that shows up in=
the wild, so it should be part of the spec for federated identity.<BR>
<BR>
On 4/8/09 11:52 AM, "Allen Tom" <<a href=3D"atom at yahoo-inc.com=
">atom at yahoo-inc.com</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"=
><SPAN STYLE=3D'font-size:11pt'>Should RPs also support a logout request fr=
om the OP?<BR>
<BR>
For instance, if the user is signed into RP1 and RP2, and RP1 sends a logou=
t request to the OP, should the OP then notify RP2 that the user has logged=
out?<BR>
<BR>
This gets really messy. As Peter mentioned, some RPs may insist that their =
authentication sessions are independent of other RPs that the user may be c=
urrently signed into.<BR>
<BR>
I believe that Google has mentioned that Single Sign Out is very undesirabl=
e for their business customers.<BR>
<BR>
More information about the general
mailing list