[OpenID] Feedback from OpenID demo

Martin Atkins mart at degeneration.co.uk
Wed May 27 17:30:12 UTC 2009 

Martin Atkins wrote:
> 
> Also, without the RP periodically checking in with the OP this doesn't 
> seem to solve the problem: if I use the "Log Out" function on one RP I 
> get logged out of that RP and my OP but not any other RPs I'm already 
> logged in to. Doing some kind of call to the OP on every request (or 
> every few requests), much as is done with Facebook Connect today, can 
> solve this problem, but it creates new problems:
> 
>  * The user experience on the RP may be impacted in a far worse way if 
> the OP is down or slow.
> 
>  * It dramatically increases the amount of load an OP has to deal with; 
> many of today's OPs probably aren't scaled to deal with it.
> 
>  * It will need to deal sensibly with the transition between one 
> identifier and another as well as the transition between logged out and 
> logged in and vice-versa. In Facebook's current implementation I can 
> attach multiple identifiers to my account, so this change in identifier 
> might also change the OP in use, requiring the RP to check in with all 
> of them.
> 

Here's an additional problem, while I'm at it:

* Since the check is done client-side in order to change session state 
on the RP's server side, an attacker could simply cheat the session 
check by messing with the client and make use of the RP's existing session.

In other words, the user thinks he's logged out but in reality he's not 
logged out unless he goes to every site he's logged in to and lets the 
session synchronization call complete.

Therefore this isn't really single sign-out, it's just presenting the 
illusion of single sign-out. The session remains active until the client 
ends it on an RP-by-RP basis.

This is less of an issue in the Facebook Connect case because the RP is 
often using the Facebook session to make API calls to Facebook, which 
will check the credentials. The session syncronization call is really 
just to prevent bad UX when an API call fails after the page has 
seemingly loaded just fine. When an RP is only using OpenID for auth and 
not going on to make any other calls to the OP this is not true.

More information about the general mailing list