[OpenID] Logout Use Case

[SitG Admin]

What worries me in general about single-logout is that the user may 
have multiple OP's with which they're signed in to a given RP, and 
not want to have any party *except for that RP* aware that these OP's 
(or the URI's they vouch for) are associated.

>The OP sending an iframe that logs the user agent out of all the RPs 
>sounds cool, and simpler than the OAuth idea.

Better have some code in that iframe to detect if the user can't 
currently connect to a RP for logout, and either keep trying or 
present an error announcing that it couldn't be done.

Using just a single OAuth SP minimizes this risk, but what if you 
*still* can't connect? Ask the RP's to send an occasional 
"keep-alive" ping to the SP (via the user) so it can have the 
authentication time out? That's a lot of pings if the user is hopping 
around multiple sites, none of which knows that the user was recently 
active on another. It's also "hand-holding", and imperils the user's 
session with RP's if the OAuth SP ever experiences downtime :(

-Shade