[OpenID] What about Logout?
Allen Tom
atom at yahoo-inc.com
Wed Apr 8 18:52:00 UTC 2009
Should RPs also support a logout request from the OP?
For instance, if the user is signed into RP1 and RP2, and RP1 sends a
logout request to the OP, should the OP then notify RP2 that the user
has logged out?
This gets really messy. As Peter mentioned, some RPs may insist that
their authentication sessions are independent of other RPs that the user
may be currently signed into.
I believe that Google has mentioned that Single Sign Out is very
undesirable for their business customers.
From a security and usability perspective, I personally prefer
Connect's Single Sign Out behavior, where the RP's authentication
session appears to be tied to the user's Facebook browser session.
Aparently, logging out of either FB or any RP will log the user out of
all sites.
Allen
Luke Shepard wrote:
>
>
> I think it would be relatively easy to add to the next spec. We could
> add an additional mode or two - say, "logout_setup" or
> "logout_immediate". They would be behave the same as checkid_immediate
> and checkid_setup, except in reverse -- the RP must supply the correct
> user credentials, and the OP can then log them out and return only
> "success" or "failure".
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090408/b09d0c55/attachment.htm>
More information about the general
mailing list