[OpenID] What about Logout?

Peter Williams pwilliams at rapattoni.com
Wed Apr 8 19:23:30 UTC 2009


And what I'm trying to tell folks, quietly, is be careful - not everyone wants a master/slave session sync. If they do want some sync'ing, it comes with constraints. Build the protocol carefully, and don't get too religious about trust issues of who is, during logout, in control of other peoples sessions.  It's the USER's mashed-up (hosted) desktop full of widgets, not any one of the OPs' desktop.

I'm speaking as a national-scale, multi-site, B2B community that already has experience of SAML2's SLO, working on/across IDP and RP sites in which one browser can have multiple sessions per tenant, multiple session across tenants, the tenant can be an  IDP/OP or RP, and anyone tenant's session may be managed by our own session handlers to involve a third party (via openid2, SAML2, STS/ws-trust, WSF, ... websso protocols)


> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Martin Atkins
> Sent: Wednesday, April 08, 2009 12:15 PM
> Cc: general at openid.net
> Subject: Re: [OpenID] What about Logout?
>
>
> Am I right in thinking that in Facebook Connect's case this works with
> the "Session Sync" functionality so that once you log out of Facebook
> you're immediately logged out of sites that make use of session sync?
>
> In order to do this effectively with OpenID we'd need an equivalent
> Session Sync system.
>
> Luke Shepard wrote:
> > I agree, logout seems to be more and more important for a full single
> > sign-on / sign-out experience. We found with Facebook Connect that we
> > had to offer RPs the ability to log the user out of Facebook, for
> > consistency.
> >
> > Consider this: the user goes to the RP, clicks the "login" button,
> and
> > then a popup comes up onto their OP. The user happily enters their
> > credentials, popup closes, and they're in. Great! Then they hit
> "logout"
> > on the site they're on, and go on their way. But if this is a shared
> > terminal, then they still have a cookie onto their OP, which leaves
> them
> > exposed. A better solution would be to let the RP log them out of
> their
> > provider.
> >
> > There are workarounds, some of which were suggested by Allen in
> previous
> > threads - for instance, having a short cookie timeout, trying to
> detect
> > recent activity, etc, but none are quite as clean as a solid logout
> trick.
> >
> > I think it would be relatively easy to add to the next spec. We could
> > add an additional mode or two - say, "logout_setup" or
> > "logout_immediate". They would be behave the same as
> checkid_immediate
> > and checkid_setup, except in reverse - the RP must supply the correct
> > user credentials, and the OP can then log them out and return only
> > "success" or "failure".
> >
> >
> > On 4/8/09 7:05 AM, "Santosh Rajan" <santrajan at gmail.com> wrote:
> >
> >
> >
> >     If an RP wants to logout the user not only from his site, but
> also
> >     from the
> >     OP, there is no easy way for him to do it. Currently it is a
> pain.
> >     He needs
> >     to figure how to log out from each OP himself, while most OP's
> >     havent even
> >     documented this.
> >     Eg. This is the Google Logout URL.
> >     https://www.google.com/accounts/Logout
> >     This is Yahoo's undocumented Logout URL.
> >     https://login.yahoo.com/config/login?logout=1
> >
> >     Maybe we need to address this in 2.1? Like the OP may provide the
> >     Logout URL
> >     in the discovery itself along with the endpoint URL?
> >     --
> >     View this message in context:
> >     http://www.nabble.com/What-about-Logout--tp22951181p22951181.html
> >     Sent from the OpenID - General mailing list archive at
> Nabble.com.
> >
> >     _______________________________________________
> >     general mailing list
> >     general at openid.net
> >     http://openid.net/mailman/listinfo/general
> >
> >
> > ---------------------------------------------------------------------
> ---
> >
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general



More information about the general mailing list