[OpenID] What about Logout?

Luke Shepard lshepard at facebook.com
Wed Apr 8 19:17:39 UTC 2009

Certainly, there are definitely RPs and OPs that won't want to support this. That's okay- it should be an optional feature.

Consider checkid_immediate, which lets an OP tell an RP silently that the user is logged in. There are OPs that may choose not to reveal this information, and always return negative. That's fine.

Similarly, if we added a logout_immediate mode, then there are OPs that may choose not to support it. That's fine too. Even with Facebook Connect we don't log out immediately - first we show the user a notice that they are being logged out, which hangs for about 2 seconds. We implemented it that way after extensively user testing several other options.

The spec should support the most common use cases, even if they aren't the right thing for everyone. This is clearly a use case that shows up in the wild, so it should be part of the spec for federated identity.

On 4/8/09 11:52 AM, "Allen Tom" <atom at yahoo-inc.com> wrote:

Should RPs also support a logout request from the OP?

For instance, if the user is signed into RP1 and RP2, and RP1 sends a logout request to the OP, should the OP then notify RP2 that the user has logged out?

This gets really messy. As Peter mentioned, some RPs may insist that their authentication sessions are independent of other RPs that the user may be currently signed into.

I believe that Google has mentioned that Single Sign Out is very undesirable for their business customers.

>From a security and usability perspective, I personally prefer Connect's Single Sign Out behavior, where the RP's authentication session appears to be tied to the user's Facebook browser session. Aparently, logging out of either FB or any RP will log the user out of all sites.


Luke Shepard wrote:
Re: [OpenID]  What about Logout

I think it would be relatively easy to add to the next spec. We could add an additional mode or two - say, "logout_setup" or "logout_immediate". They would be behave the same as checkid_immediate and checkid_setup, except in reverse - the RP must supply the correct user credentials, and the OP can then log them out and return only "success" or "failure".

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090408/46806091/attachment.htm>

More information about the general mailing list