[OpenID] What about Logout?

Rabbit rabbit at cyberpunkrock.com
Thu Apr 9 03:35:44 UTC 2009

If I click logout, one of two things should happen:

* The RP should end their session with the User.
* The RP should send the User to the OP where the User will decide the  
mode of their session (ie: switch users, sign out of OP, etc.)

Anything else is just confusing. We're having a hard enough time  
teaching users how to log in. Let's assume users are going to treat  
"Logout" as it is treated without OpenID or take them to the place  
where they would trust for other options.


On Apr 8, 2009, at 10:00 PM, Johannes Ernst wrote:

> There is a whole other can of worms re how to best model roles in  
> OpenID.
> For this use case, I was just thinking that I want to be:
> 	example.com/~root as administrator of the example.com site
> 	soccerfan.blogger.com as user of the example.com site in the soccer  
> forum
> I'd like to be to be certain that after I have done a (small) number  
> of actions, I'm not accidentally doing something as root if I didn't  
> mean to.
> In the Unix world, ^D at the command prompt. Is there an OpenID  
> equivalent?
> On Apr 8, 2009, at 18:39, Peter Williams wrote:
>> You might want to implement this with an impersonation model,  
>> rather than slo model, leveraging parallel (multiple) session  
>> compartments.
>> Think of it in interface binding terms. An object class exports 2  
>> soap interfaces, where rbac enforced in the class loader or  
>> interface guard limits one's rights to bind an id to a particular  
>> interface (implies subset of methods and data types). Or  
>> equivalently, in rest and url land, rbac limits which subsets of  
>> urls and mime types one can bind the  id to.
>> If u do it like this, one gets a take/grant authorization model, in  
>> which 1 id can delegate to another, when the roles are sent in the  
>> authz element of the assertion. The ax authority releasing roles  
>> need not be the same op as is doing user auth (or one can be a  
>> front for the other).
>> -----Original Message-----
>> From: Johannes Ernst <jernst+openid.net at netmesh.us>
>> Sent: Wednesday, April 08, 2009 2:40 PM
>> To: general List <general at openid.net>
>> Subject: Re: [OpenID] What about Logout?
>> I'd like to have a single-sign-out button.
>> There are plenty of use cases. Here is one: Changing roles.
>> I log into a bunch of sites with an "administrator" OpenID, to do
>> maintenance for example.
>> Then I'm done as administrator, and I'd like to go back to being a
>> regular user on all of those sites with a "user" OpenID.
>> Johannes Ernst
>> NetMesh Inc.
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list