[OpenID] Logout Use Case

[Andrew Arnott]

Shade,
I don't understand how you can use an OP to log into an RP without the OP
being aware that it's sending that assertion.  If one can assume the
asserting OP knows which RP it's going to (which it must IMO) then the RP
ought to be able to send a message to the OP (via an iframe in the RP site
directing the user to an openid single-log-out endpoint) so the OP can send
various iframes to log the user out of each RP that that same OP has logged
the user into.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Wed, Sep 30, 2009 at 8:53 AM, SitG Admin <sysadmin at shadowsinthegarden.com
> wrote:

> What worries me in general about single-logout is that the user may have
> multiple OP's with which they're signed in to a given RP, and not want to
> have any party *except for that RP* aware that these OP's (or the URI's they
> vouch for) are associated.
>
>  The OP sending an iframe that logs the user agent out of all the RPs
>> sounds cool, and simpler than the OAuth idea.
>>
>
> Better have some code in that iframe to detect if the user can't currently
> connect to a RP for logout, and either keep trying or present an error
> announcing that it couldn't be done.
>
> Using just a single OAuth SP minimizes this risk, but what if you *still*
> can't connect? Ask the RP's to send an occasional "keep-alive" ping to the
> SP (via the user) so it can have the authentication time out? That's a lot
> of pings if the user is hopping around multiple sites, none of which knows
> that the user was recently active on another. It's also "hand-holding", and
> imperils the user's session with RP's if the OAuth SP ever experiences
> downtime :(
>
> -Shade
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090930/f17f4724/attachment.htm>