[OpenID] What about Logout?

Allen Tom atom at yahoo-inc.com
Wed Apr 8 18:52:00 UTC 2009

Should RPs also support a logout request from the OP?

For instance, if the user is signed into RP1 and RP2, and RP1 sends a 
logout request to the OP, should the OP then notify RP2 that the user 
has logged out?

This gets really messy. As Peter mentioned, some RPs may insist that 
their authentication sessions are independent of other RPs that the user 
may be currently signed into.

I believe that Google has mentioned that Single Sign Out is very 
undesirable for their business customers.

 From a security and usability perspective, I personally prefer 
Connect's Single Sign Out behavior, where the RP's authentication 
session appears to be tied to the user's Facebook browser session. 
Aparently, logging out of either FB or any RP will log the user out of 
all sites.


Luke Shepard wrote:
> I think it would be relatively easy to add to the next spec. We could 
> add an additional mode or two - say, "logout_setup" or 
> "logout_immediate". They would be behave the same as checkid_immediate 
> and checkid_setup, except in reverse -- the RP must supply the correct 
> user credentials, and the OP can then log them out and return only 
> "success" or "failure".

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090408/b09d0c55/attachment.htm>

More information about the general mailing list