[OpenID] What about Logout?

Peter Williams pwilliams at rapattoni.com
Thu Apr 9 03:43:38 UTC 2009


And if a users RP page consists of a mashup of several other RPs, each supported by one of several (RP's choice of) OPs?

One reality of a websso-powered world is that an OP->RP relationship gives way to a user wandering from that RP to other RPs.

I logon using Shib IDP to my google desktop RP hosted by Google Apps, which renders multiple widgets, one of which is a favorites/RSS site showing a bunch of URL hyperlinks, which when clicked brings up a new browser windows on yahoo.com (after an openid auth exchange between some Yahoo RP and MySpace OP).

So who is doing the multi-session coordination for the desktop, and who is control of network "logout" - and "what is the single network?" one is logging out of in the UCI conception of the world?


> -----Original Message-----
> From: Rabbit [mailto:rabbit at cyberpunkrock.com]
> Sent: Wednesday, April 08, 2009 8:36 PM
> To: Johannes Ernst
> Cc: Peter Williams; general List
> Subject: Re: [OpenID] What about Logout?
>
> If I click logout, one of two things should happen:
>
> * The RP should end their session with the User.
> * The RP should send the User to the OP where the User will decide the
> mode of their session (ie: switch users, sign out of OP, etc.)
>
> Anything else is just confusing. We're having a hard enough time
> teaching users how to log in. Let's assume users are going to treat
> "Logout" as it is treated without OpenID or take them to the place
> where they would trust for other options.
>
> =Rabbit
>
> On Apr 8, 2009, at 10:00 PM, Johannes Ernst wrote:
>
> > There is a whole other can of worms re how to best model roles in
> > OpenID.
> >
> > For this use case, I was just thinking that I want to be:
> >       example.com/~root as administrator of the example.com site
> >       soccerfan.blogger.com as user of the example.com site in the
> soccer
> > forum
> >
> > I'd like to be to be certain that after I have done a (small) number
> > of actions, I'm not accidentally doing something as root if I didn't
> > mean to.
> >
> > In the Unix world, ^D at the command prompt. Is there an OpenID
> > equivalent?
> >
> >
> >
> > On Apr 8, 2009, at 18:39, Peter Williams wrote:
> >
> >> You might want to implement this with an impersonation model,
> >> rather than slo model, leveraging parallel (multiple) session
> >> compartments.
> >>
> >> Think of it in interface binding terms. An object class exports 2
> >> soap interfaces, where rbac enforced in the class loader or
> >> interface guard limits one's rights to bind an id to a particular
> >> interface (implies subset of methods and data types). Or
> >> equivalently, in rest and url land, rbac limits which subsets of
> >> urls and mime types one can bind the  id to.
> >>
> >> If u do it like this, one gets a take/grant authorization model, in
> >> which 1 id can delegate to another, when the roles are sent in the
> >> authz element of the assertion. The ax authority releasing roles
> >> need not be the same op as is doing user auth (or one can be a
> >> front for the other).
> >>
> >> -----Original Message-----
> >> From: Johannes Ernst <jernst+openid.net at netmesh.us>
> >> Sent: Wednesday, April 08, 2009 2:40 PM
> >> To: general List <general at openid.net>
> >> Subject: Re: [OpenID] What about Logout?
> >>
> >>
> >> I'd like to have a single-sign-out button.
> >>
> >> There are plenty of use cases. Here is one: Changing roles.
> >>
> >> I log into a bunch of sites with an "administrator" OpenID, to do
> >> maintenance for example.
> >> Then I'm done as administrator, and I'd like to go back to being a
> >> regular user on all of those sites with a "user" OpenID.
> >>
> >>
> >>
> >>
> >> Johannes Ernst
> >> NetMesh Inc.
> >>
> >
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general




More information about the general mailing list