[OpenID] What about Logout?

Deron Meranda deron.meranda at gmail.com
Wed Apr 8 16:40:09 UTC 2009

On Wed, Apr 8, 2009 at 11:29 AM, Jack Cleaver <jack at jackpot.uk.net> wrote:
> This seems to me to be entirely rational, and what I would expect.
> Certainly I would *not* expect any RP to be able to destroy my OP
> session without my explicit say-so. Really, I don't think anything I do
> on website A should have any effect on my session at website B.

I agree that an RP should not have the ability to change the
user's established relation with an OP, which forcing a
logout would do.

However I can also see the case where it may be useful to
remind the user when they logout of an RP that they have
not logged out of their OP.  If a user hits a "logout" button
on the RP site it is important that they realize that they did
not also log out of the OP.

What could complicate this is that the user may have logged
into their OP in the first place as part of the workflow of
logging into the RP.  So from the user's perspective they may
have only logged in "once" (although technically under the
OpenID surface two logins happened); so I can see how users
may think they only have to logout once as well ... and possibly
leaving their accounts exposed.

I think it might be a reasonable extension for the OP to provide
a URL to the RP, which the RP can later redirect the user to when
the RP's session is terminated.  This OP-provided URL can
then do whatever the OP wants; such as offering to log the
user out of the OP, etc.  Of course there should be no automatic

While we're on the logout issue.  Another extension that I could
see being useful is if during the login flow, that the OP can
provide the RP with a validity time period.  Say if the policy of
the OP is to require user reauthentication every 2 hours.  It
would be nice if it could tell all the RPs authenticating with
it about this 2-hour time frame.  Of course the RP is free to
ignore this "hint", but it could also use that to re-authentication
against the OP at that time too.  Perhaps this best fits into
a PAPE extension?
Deron Meranda

More information about the general mailing list