[OpenID] What about Logout?

Luke Shepard lshepard at facebook.com
Wed Apr 8 14:38:37 UTC 2009


I agree, logout seems to be more and more important for a full single sign-on / sign-out experience. We found with Facebook Connect that we had to offer RPs the ability to log the user out of Facebook, for consistency.

Consider this: the user goes to the RP, clicks the "login" button, and then a popup comes up onto their OP. The user happily enters their credentials, popup closes, and they're in. Great! Then they hit "logout" on the site they're on, and go on their way. But if this is a shared terminal, then they still have a cookie onto their OP, which leaves them exposed. A better solution would be to let the RP log them out of their provider.

There are workarounds, some of which were suggested by Allen in previous threads - for instance, having a short cookie timeout, trying to detect recent activity, etc, but none are quite as clean as a solid logout trick.

I think it would be relatively easy to add to the next spec. We could add an additional mode or two - say, "logout_setup" or "logout_immediate". They would be behave the same as checkid_immediate and checkid_setup, except in reverse - the RP must supply the correct user credentials, and the OP can then log them out and return only "success" or "failure".


On 4/8/09 7:05 AM, "Santosh Rajan" <santrajan at gmail.com> wrote:



If an RP wants to logout the user not only from his site, but also from the
OP, there is no easy way for him to do it. Currently it is a pain. He needs
to figure how to log out from each OP himself, while most OP's havent even
documented this.
Eg. This is the Google Logout URL.
https://www.google.com/accounts/Logout
This is Yahoo's undocumented Logout URL.
https://login.yahoo.com/config/login?logout=1

Maybe we need to address this in 2.1? Like the OP may provide the Logout URL
in the discovery itself along with the endpoint URL?
--
View this message in context: http://www.nabble.com/What-about-Logout--tp22951181p22951181.html
Sent from the OpenID - General mailing list archive at Nabble.com.

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090408/2bf23485/attachment.htm>


More information about the general mailing list