[OpenID] What about Logout?

Rabbit rabbit at cyberpunkrock.com
Thu Apr 9 08:36:20 UTC 2009


Unless I'm mistaken, those URLs are for traditional logout not single  
sign-off.

That feature would only be effective in annoying users.

* User signs into OP
* User signs into RP1
* User signs into RP2
* User clicks "Logout" on RP2
* User goes to OP and discovers they are not logged in
* User goes to RP1 and may or may not be logged in (depending on  
cookies)

Single Sign-On is great because so long as you're in your OP,  
everything is cohesive. The logout scheme described above appears  
broken and confusing.

I agree the feature would be nice but I absolutely hate when I forget  
I signed in using Facebook, click "Logout" and later discover I'm not  
signed into Facebook. The intention of the Logout must be clearly  
presented to the user. If a "Logout" link is anything other than  
ending the session between the User and the RP, a dialog must be  
displayed (either at the RP itself or at the Users' OP logout page)  
that gives the User the chance to logout of individual RP's, all RP's,  
or cancel the process.

=Rabbit

On Apr 9, 2009, at 12:58 AM, Andrew Arnott wrote:

> It IS possible already for an RP to destroy an OP session.  Two URLs  
> have already been given on this thread for very large OPs, that if  
> the RP simply redirected the user agent to when the user logged out  
> of the RP, would automatically also log the user out of the OP.
>
> If this is undesirable behavior, perhaps OpenID 2.1 should forbid it.
>
> On the other hand, I think a facility for OPs to have an optional  
> Log Out All button for a user to log out of all RPs at once would be  
> a very useful, and user-centric feature that would allow the user to  
> log out of everything without having to clear all cookies.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the  
> death your right to say it." - Voltaire
>
>




More information about the general mailing list