[OpenID] What about Logout?

Jack Cleaver jack at jackpot.uk.net
Wed Apr 8 15:29:38 UTC 2009

Peter Williams wrote:
> In our environment, a user typically has several SSO sessions open at
>  several RPs, each operating in different (sub) domains. Some subset 
> of them (called them RP1  and RP2) may be sharing session management 
> with Facebook - the OP.
> We have been told numerous times by folks in control of their 
> business rules that any decision to logout the user from one RP1 MUST
>  not log the user out of RP2. Assuming RP1 and RP2 are both talking
> to Facebook OP, RP2 must be able to continue to use its association
> to the OP after a logout exchange between RP1/OP, without the user 
> having to re-authenticate (create a new IDP session).

This seems to me to be entirely rational, and what I would expect.
Certainly I would *not* expect any RP to be able to destroy my OP
session without my explicit say-so. Really, I don't think anything I do
on website A should have any effect on my session at website B.

If it is *possible* for an RP to destroy my OP session, then some RP
will sooner or later be configured to do just that. Therefore I think it
should not be possible.


More information about the general mailing list