[OpenID] What about Logout?

Peter Williams pwilliams at rapattoni.com
Thu Apr 9 08:47:10 UTC 2009 

I like the thinking, and it was very clearly expressed.

But there is the case that different widgets [being openid...where RP's (vs user's) discover and select metadata] choose different OPs which like yahoo may have persistent OP sessions.

Thus the OP supporting the initial desktop page does not know all sessions.
Thus the RP rendering the desktop page does not know all widget sessions.
Thus no one widget knows all widget sessions.

There is no obvious party that knows all sessions, to present a multi-session authority UI for user selected-logout. Only a browser plugin could be knowing the total picture.

As I said in a private  email to some folks, the nearest we came to addressing this (to us, a very real issue set) with current open standards was to impose SAML2's idp-proxying model on the widgets, forcing the widgets to use the same IDP as the desktop RP.  But even this was not entirely successful, and openid auth has no constrained op proxying model - in any case.

> -----Original Message-----
> From: Rabbit [mailto:rabbit at cyberpunkrock.com]
> Sent: Thursday, April 09, 2009 1:23 AM
> To: Peter Williams
> Cc: Johannes Ernst; general List
> Subject: Re: [OpenID] What about Logout?
>
>
> On Apr 8, 2009, at 11:43 PM, Peter Williams wrote:
>
> >
> > And if a users RP page consists of a mashup of several other RPs,
> > each supported by one of several (RP's choice of) OPs?
> >
>
>
> The RP should work within its own domain of concerns.
> When it comes to SSO, the RP is only concerned with two things:
>
> 1) The User session with an OP
> 2) The RP session with the User
>
> (And the RP is only concerned with #1 by the nature of the protocol.)
>
> RP sessions are started by logging in through one OP. That is the only
> OP the RP should be concerned with. If the RP supplies widgets for
> other services that the User logs into using different OPs, those
> widgets are additional RPs and none of the initial RPs concern. The RP
> should not care how the User is logged into those other widgets. It's
> only concerned with providing the widgets to the user. The
> functionality of those widgets is handled mostly out of band (ie:
> Netvibes supplying a Facebook widget).
>
> If I'm not understanding your example, and it truly is the RPs
> responsibility to manage the sessions of multiple OPs for a single
> User, then I would say it still comes down to two choices:
>
> 1) A "Logout" link that ends the session between RP and User.
> 2) A "Logout" dialog that gives the User the choice of which sessions
> to end.
>
> The second option, I still strongly feel, is more within the OPs
> domain of concerns and so the User should be sent to the OP where they
> may be given the option to end sessions with individual RPs, all RPs,
> or sign out of the OP itself. Any cancel links would return the user
> back to the RP still signed in.
>
> =Rabbit

More information about the general mailing list