<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Should RPs also support a logout request from the OP?<br>
<br>
For instance, if the user is signed into RP1 and RP2, and RP1 sends a
logout request to the OP, should the OP then notify RP2 that the user
has logged out?<br>
<br>
This gets really messy. As Peter mentioned, some RPs may insist that
their authentication sessions are independent of other RPs that the
user may be currently signed into.<br>
<br>
I believe that Google has mentioned that Single Sign Out is very
undesirable for their business customers.<br>
<br>
>From a security and usability perspective, I personally prefer
Connect's Single Sign Out behavior, where the RP's authentication
session appears to be tied to the user's Facebook browser session.
Aparently, logging out of either FB or any RP will log the user out of
all sites.<br>
<br>
Allen<br>
<br>
<br>
Luke Shepard wrote:
<blockquote cite="mid:C60204FD.29769%25lshepard@facebook.com"
type="cite">
<title>Re: [OpenID] What about Logout</title>
<font face="Calibri, Verdana, Helvetica, Arial"><span
style="font-size: 11pt;"><br>
<br>
I think it would be relatively easy to add to the next spec. We could
add an additional mode or two - say, “logout_setup” or
“logout_immediate”. They would be behave the same as checkid_immediate
and checkid_setup, except in reverse – the RP must supply the correct
user credentials, and the OP can then log them out and return only
“success” or “failure”. <br>
<br>
</span></font></blockquote>
<br>
</body>
</html>