[OpenID] What about Logout?
Johannes Ernst
jernst+openid.net at netmesh.us
Thu Apr 9 02:00:14 UTC 2009
There is a whole other can of worms re how to best model roles in
OpenID.
For this use case, I was just thinking that I want to be:
example.com/~root as administrator of the example.com site
soccerfan.blogger.com as user of the example.com site in the soccer
forum
I'd like to be to be certain that after I have done a (small) number
of actions, I'm not accidentally doing something as root if I didn't
mean to.
In the Unix world, ^D at the command prompt. Is there an OpenID
equivalent?
On Apr 8, 2009, at 18:39, Peter Williams wrote:
> You might want to implement this with an impersonation model, rather
> than slo model, leveraging parallel (multiple) session compartments.
>
> Think of it in interface binding terms. An object class exports 2
> soap interfaces, where rbac enforced in the class loader or
> interface guard limits one's rights to bind an id to a particular
> interface (implies subset of methods and data types). Or
> equivalently, in rest and url land, rbac limits which subsets of
> urls and mime types one can bind the id to.
>
> If u do it like this, one gets a take/grant authorization model, in
> which 1 id can delegate to another, when the roles are sent in the
> authz element of the assertion. The ax authority releasing roles
> need not be the same op as is doing user auth (or one can be a front
> for the other).
>
> -----Original Message-----
> From: Johannes Ernst <jernst+openid.net at netmesh.us>
> Sent: Wednesday, April 08, 2009 2:40 PM
> To: general List <general at openid.net>
> Subject: Re: [OpenID] What about Logout?
>
>
> I'd like to have a single-sign-out button.
>
> There are plenty of use cases. Here is one: Changing roles.
>
> I log into a bunch of sites with an "administrator" OpenID, to do
> maintenance for example.
> Then I'm done as administrator, and I'd like to go back to being a
> regular user on all of those sites with a "user" OpenID.
>
>
>
>
> Johannes Ernst
> NetMesh Inc.
>
More information about the general
mailing list