<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<title>Re: [OpenID] What about Logout?</title>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In our environment, a user typically has several SSO sessions
open at several RPs, each operating in different (sub) domains. Some subset of
them (called them RP1 and RP2) may be sharing session management with
Facebook – the OP.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>We have been told numerous times by folks in control of their
business rules that any decision to logout the user from one RP1 MUST not log
the user out of RP2. Assuming RP1 and RP2 are both talking to Facebook OP, RP2 must
be able to continue to use its association to the OP after a logout exchange between
RP1/OP, without the user having to re-authenticate (create a new IDP session).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
general-bounces@openid.net [mailto:general-bounces@openid.net] <b>On Behalf Of </b>Luke
Shepard<br>
<b>Sent:</b> Wednesday, April 08, 2009 7:39 AM<br>
<b>To:</b> Santosh Rajan; general@openid.net<br>
<b>Subject:</b> Re: [OpenID] What about Logout?<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif"'>I agree, logout seems to be more and more
important for a full single sign-on / sign-out experience. We found with
Facebook Connect that we had to offer RPs the ability to log the user out of
Facebook, for consistency.<br>
<br>
Consider this: the user goes to the RP, clicks the “login” button,
and then a popup comes up onto their OP. The user happily enters their
credentials, popup closes, and they’re in. Great! Then they hit
“logout” on the site they’re on, and go on their way. But if
this is a shared terminal, then they still have a cookie onto their OP, which
leaves them exposed. A better solution would be to let the RP log them out of
their provider.<br>
<br>
There are workarounds, some of which were suggested by Allen in previous
threads – for instance, having a short cookie timeout, trying to detect
recent activity, etc, but none are quite as clean as a solid logout trick.<br>
<br>
I think it would be relatively easy to add to the next spec. We could add an
additional mode or two - say, “logout_setup” or
“logout_immediate”. They would be behave the same as
checkid_immediate and checkid_setup, except in reverse – the RP must
supply the correct user credentials, and the OP can then log them out and
return only “success” or “failure”. <br>
<br>
<br>
On 4/8/09 7:05 AM, "Santosh Rajan" <<a href="santrajan@gmail.com">santrajan@gmail.com</a>>
wrote:</span><o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif"'><br>
<br>
If an RP wants to logout the user not only from his site, but also from the<br>
OP, there is no easy way for him to do it. Currently it is a pain. He needs<br>
to figure how to log out from each OP himself, while most OP's havent even<br>
documented this.<br>
Eg. This is the Google Logout URL.<br>
<a href="https://www.google.com/accounts/Logout">https://www.google.com/accounts/Logout</a><br>
This is Yahoo's undocumented Logout URL.<br>
<a href="https://login.yahoo.com/config/login?logout=1">https://login.yahoo.com/config/login?logout=1</a><br>
<br>
Maybe we need to address this in 2.1? Like the OP may provide the Logout URL<br>
in the discovery itself along with the endpoint URL?<br>
--<br>
View this message in context: <a
href="http://www.nabble.com/What-about-Logout--tp22951181p22951181.html">http://www.nabble.com/What-about-Logout--tp22951181p22951181.html</a><br>
Sent from the OpenID - General mailing list archive at Nabble.com.<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a></span><o:p></o:p></p>
</div>
</div>
</body>
</html>