[OpenID] What about Logout?

Deron Meranda deron.meranda at gmail.com
Wed Apr 8 19:27:43 UTC 2009

On Wed, Apr 8, 2009 at 2:52 PM, Allen Tom <atom at yahoo-inc.com> wrote:
> Should RPs also support a logout request from the OP?
> For instance, if the user is signed into RP1 and RP2, and RP1 sends a logout
> request to the OP, should the OP then notify RP2 that the user has logged
> out?

All the participants must be considered as separate authorities; so no, I
don't think RP1 should be able to cause a logout of OP to begin with; not
even to mention the cascade effect.

However limited notifications could be useful; but nothing that is

> I believe that Google has mentioned that Single Sign Out is very undesirable
> for their business customers.

And I would normally agree with this position.

However, the only concession I have is that there could be cases where
an end user sees a leaky abstraction---where the process of logging in
and the process of logging out are not symmetric, and therefore
confusing to a user.

Consider the following flow when the user logs into RP1
1. User tries to login to RP1
2. RP1 sends user to OP for authentication (via OpenID protocol)
3. OP notices user is not logged in (to OP) and performs authentication
4. an OP login session has been established
5. OP returns to RP1 with a valid claim response
6. RP1 establishes a login session

(Of course some OP's choose to never make the leap in step 3;
they require the user have previsously logged in ... but many
OPs will do this though)

As far as the end user is concerned, they only logged in ONCE.
But in reality TWO logins happened: one at the OP and one at RP1.

Now when the user logs out of RP1:
1. User presses logout button at RP1
2. RP1 terminates session

However, the OP session is still potentially active, even if the user
is not aware of it.  They logged out once, just like they logged in once.
The user's perception of undoing the processes of logging in does
not match reality.

This is why I think notifications or something similar could be
useful.  But notifications should never forcibly do anything.  Neither
RP1 nor OP can cause the other to terminate a login session,
and any party should be free to ignore any such messages.

I think that perhaps some sort of extension should be made to
the PAPE attributes for this.
Deron Meranda

More information about the general mailing list