[OpenID] What about Logout?

[Johannes Ernst]

There is a whole other can of worms re how to best model roles in  
OpenID.

For this use case, I was just thinking that I want to be:
	example.com/~root as administrator of the example.com site
	soccerfan.blogger.com as user of the example.com site in the soccer  
forum

I'd like to be to be certain that after I have done a (small) number  
of actions, I'm not accidentally doing something as root if I didn't  
mean to.

In the Unix world, ^D at the command prompt. Is there an OpenID  
equivalent?



On Apr 8, 2009, at 18:39, Peter Williams wrote:

> You might want to implement this with an impersonation model, rather  
> than slo model, leveraging parallel (multiple) session compartments.
>
> Think of it in interface binding terms. An object class exports 2  
> soap interfaces, where rbac enforced in the class loader or  
> interface guard limits one's rights to bind an id to a particular  
> interface (implies subset of methods and data types). Or  
> equivalently, in rest and url land, rbac limits which subsets of  
> urls and mime types one can bind the  id to.
>
> If u do it like this, one gets a take/grant authorization model, in  
> which 1 id can delegate to another, when the roles are sent in the  
> authz element of the assertion. The ax authority releasing roles  
> need not be the same op as is doing user auth (or one can be a front  
> for the other).
>
> -----Original Message-----
> From: Johannes Ernst <jernst+openid.net at netmesh.us>
> Sent: Wednesday, April 08, 2009 2:40 PM
> To: general List <general at openid.net>
> Subject: Re: [OpenID] What about Logout?
>
>
> I'd like to have a single-sign-out button.
>
> There are plenty of use cases. Here is one: Changing roles.
>
> I log into a bunch of sites with an "administrator" OpenID, to do
> maintenance for example.
> Then I'm done as administrator, and I'd like to go back to being a
> regular user on all of those sites with a "user" OpenID.
>
>
>
>
> Johannes Ernst
> NetMesh Inc.
>