[OpenID] What about Logout?
jack at jackpot.uk.net
Wed Apr 8 15:29:38 UTC 2009
Peter Williams wrote:
> In our environment, a user typically has several SSO sessions open at
> several RPs, each operating in different (sub) domains. Some subset
> of them (called them RP1 and RP2) may be sharing session management
> with Facebook - the OP.
> We have been told numerous times by folks in control of their
> business rules that any decision to logout the user from one RP1 MUST
> not log the user out of RP2. Assuming RP1 and RP2 are both talking
> to Facebook OP, RP2 must be able to continue to use its association
> to the OP after a logout exchange between RP1/OP, without the user
> having to re-authenticate (create a new IDP session).
This seems to me to be entirely rational, and what I would expect.
Certainly I would *not* expect any RP to be able to destroy my OP
session without my explicit say-so. Really, I don't think anything I do
on website A should have any effect on my session at website B.
If it is *possible* for an RP to destroy my OP session, then some RP
will sooner or later be configured to do just that. Therefore I think it
should not be possible.
More information about the general