[OpenID] What about Logout?

Andrew Arnott andrewarnott at gmail.com
Thu Apr 9 04:58:26 UTC 2009


It IS possible already for an RP to destroy an OP session.  Two URLs have
already been given on this thread for very large OPs, that if the RP simply
redirected the user agent to when the user logged out of the RP, would
automatically also log the user out of the OP.
If this is undesirable behavior, perhaps OpenID 2.1 should forbid it.

On the other hand, I think a facility for OPs to have an optional Log Out
All button for a user to log out of all RPs at once would be a very useful,
and user-centric feature that would allow the user to log out of everything
without having to clear all cookies.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Wed, Apr 8, 2009 at 8:29 AM, Jack Cleaver <jack at jackpot.uk.net> wrote:

> Peter Williams wrote:
>
>> In our environment, a user typically has several SSO sessions open at
>>  several RPs, each operating in different (sub) domains. Some subset of
>> them (called them RP1  and RP2) may be sharing session management with
>> Facebook - the OP.
>>
>> We have been told numerous times by folks in control of their business
>> rules that any decision to logout the user from one RP1 MUST
>>  not log the user out of RP2. Assuming RP1 and RP2 are both talking
>> to Facebook OP, RP2 must be able to continue to use its association
>> to the OP after a logout exchange between RP1/OP, without the user having
>> to re-authenticate (create a new IDP session).
>>
>
> This seems to me to be entirely rational, and what I would expect.
> Certainly I would *not* expect any RP to be able to destroy my OP
> session without my explicit say-so. Really, I don't think anything I do
> on website A should have any effect on my session at website B.
>
> If it is *possible* for an RP to destroy my OP session, then some RP
> will sooner or later be configured to do just that. Therefore I think it
> should not be possible.
>
> --
> Jack.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090408/7e2f3f04/attachment.htm>


More information about the general mailing list