[OpenID] What about Logout?

[Rabbit]

On Apr 8, 2009, at 11:43 PM, Peter Williams wrote:

>
> And if a users RP page consists of a mashup of several other RPs,  
> each supported by one of several (RP's choice of) OPs?
>


The RP should work within its own domain of concerns.
When it comes to SSO, the RP is only concerned with two things:

1) The User session with an OP
2) The RP session with the User

(And the RP is only concerned with #1 by the nature of the protocol.)

RP sessions are started by logging in through one OP. That is the only  
OP the RP should be concerned with. If the RP supplies widgets for  
other services that the User logs into using different OPs, those  
widgets are additional RPs and none of the initial RPs concern. The RP  
should not care how the User is logged into those other widgets. It's  
only concerned with providing the widgets to the user. The  
functionality of those widgets is handled mostly out of band (ie:  
Netvibes supplying a Facebook widget).

If I'm not understanding your example, and it truly is the RPs  
responsibility to manage the sessions of multiple OPs for a single  
User, then I would say it still comes down to two choices:

1) A "Logout" link that ends the session between RP and User.
2) A "Logout" dialog that gives the User the choice of which sessions  
to end.

The second option, I still strongly feel, is more within the OPs  
domain of concerns and so the User should be sent to the OP where they  
may be given the option to end sessions with individual RPs, all RPs,  
or sign out of the OP itself. Any cancel links would return the user  
back to the RP still signed in.

=Rabbit